On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
All rules are now created in the libvirt private firewall chains.
The
code for deleting rules will try to delete from both the original
builtin chains and the new private chains in order to cleanup properly
during upgrades.
This finally fixes a very old bug (from 2008!) related to traffic
between guests on distinct virtual networks. The intention is that
networks never allow incoming connections, but the old ordering of rules
meant that we would mistakenly allow accept traffic from whichever
network was most recently created.
Yay!! I've verified that traffic is blocked in both directions between
nat and isolated networks, but otherwise allowed.
The only issue I have with this is that, due to not keeping track of
what rules we've added in the past, when we restart and want to refresh
all the rules, we have to attempt deletion of both "the rules we would
add currently for the active networks" as well as "the rules we would
have added in the past (before these changes went in)". That makes for a
slight startup time penalty (and maintenance headache) now, but in the
future it will only get worse - any time we change the exact rules used
for a particular network setup, we'll have to remember what rules we
*used to* add for that type of network, and continue deleting (or
attempting to delete) those rules, in addition to all previous
incarnations of the rules *and* the new incarnation. This will end up
becoming very unwieldy.
I think instead we need to save in the network status a list of the
exact iptables (or firewalld or nftables or whatever it is in the
future) rules we have added, and always delete the exact rules that we
previously added each time we do a refresh. The sooner we do this, the
fewer headaches we'll have.
Aside from that:
Reviewed-by: Laine Stump <laine(a)laine.org>
Tested-by: Laine Stump <laine(a)laine.org>
With everything going into the FORWARD chain there was interleaving
of
rules for outbound traffic and inbound traffic for each network:
ACCEPT all -- * virbr2 0.0.0.0/0 192.168.123.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- virbr2 * 192.168.123.0/24 0.0.0.0/0
ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0
REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
So the rule allowing outbound traffic from virbr2 would mistakenly
allow packets from virbr2 to virbr0, before the rule denying input
to virbr0 gets a chance to run
With the split up forwarding chains, all incoming deny rules are checked
before any of the outgoing allow rules, as rules are grouped into three
distinct sets
Cross rules
ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Incoming rules
ACCEPT all -- * virbr2 0.0.0.0/0 192.168.123.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate
RELATED,ESTABLISHED
REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Outgoing rules
ACCEPT all -- virbr2 * 192.168.123.0/24 0.0.0.0/0
REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/util/viriptables.c | 71 +++++++++++++------
.../nat-default-linux.args | 32 ++++-----
.../nat-ipv6-linux.args | 48 ++++++-------
.../nat-many-ips-linux.args | 60 ++++++++--------
.../nat-no-dhcp-linux.args | 46 ++++++------
.../nat-tftp-linux.args | 34 ++++-----
.../route-default-linux.args | 22 +++---
7 files changed, 171 insertions(+), 142 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index b4a4bf9a12..ad029e6465 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -209,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 1);
}
/**
@@ -228,6 +228,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw,
int port)
{
iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 1);
}
/**
@@ -245,7 +246,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 0);
}
/**
@@ -263,7 +264,8 @@ iptablesRemoveUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE,
0);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 0);
}
/**
@@ -281,7 +283,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
+ iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 0);
}
/**
@@ -300,6 +302,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw,
int port)
{
iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
+ iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 0);
}
@@ -398,7 +401,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, ADD);
+ return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
iface, physdev, ADD);
}
/**
@@ -421,7 +424,11 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, REMOVE);
+ if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface,
physdev, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface,
physdev, REMOVE) < 0)
+ return -1;
+ return 0;
}
@@ -493,7 +500,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr,
prefix, iface, physdev, ADD);
}
/**
@@ -516,7 +523,11 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix, iface, physdev, REMOVE);
+ if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
iface, physdev, REMOVE) < 0)
+ return -1;
+ return 0;
}
/* Allow all traffic destined to the bridge, with a valid network address
@@ -581,7 +592,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, ADD);
+ return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
iface, physdev, ADD);
}
/**
@@ -604,7 +615,11 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, REMOVE);
+ if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface,
physdev, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface,
physdev, REMOVE) < 0)
+ return -1;
+ return 0;
}
static void
@@ -644,7 +659,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
+ iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD);
}
/**
@@ -664,6 +679,7 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw,
const char *iface)
{
iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
+ iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE);
}
static void
@@ -680,7 +696,7 @@ iptablesForwardRejectOut(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "delete",
chainName[chain],
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--in-interface", iface,
"--jump", "REJECT",
NULL);
@@ -701,7 +717,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
+ iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD);
}
/**
@@ -720,6 +736,7 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw,
const char *iface)
{
iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
+ iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE);
}
@@ -758,7 +775,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
+ iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD);
}
/**
@@ -777,6 +794,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
const char *iface)
{
iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
+ iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE);
}
@@ -914,7 +932,7 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
physdev, addr, port, protocol, ADD);
}
@@ -940,8 +958,13 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
- physdev, addr, port, protocol, REMOVE);
+ if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, addr, port, protocol, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
+ physdev, addr, port, protocol, REMOVE) < 0)
+ return -1;
+ return 0;
}
@@ -1016,7 +1039,7 @@ iptablesAddDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix,
+ return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr,
prefix,
physdev, destaddr, ADD);
}
@@ -1041,8 +1064,13 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix,
- physdev, destaddr, REMOVE);
+ if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, destaddr, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
+ physdev, destaddr, REMOVE) < 0)
+ return -1;
+ return 0;
}
@@ -1088,7 +1116,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD);
+ iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD);
}
/**
@@ -1106,4 +1134,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
int port)
{
iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE);
+ iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE);
}
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.args
index 9928da715b..69995181ad 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -72,64 +72,64 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -137,13 +137,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -151,7 +151,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -159,19 +159,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-linux.args
index 440896de18..f93d8face2 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -72,101 +72,101 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -174,13 +174,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -188,7 +188,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -196,31 +196,31 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args
b/tests/networkxml2firewalldata/nat-many-ips-linux.args
index d80a9551d4..faae4b881c 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -72,64 +72,64 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -137,13 +137,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -151,7 +151,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -159,25 +159,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.128.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.128.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -185,13 +185,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 \
-p udp '!' \
--destination 192.168.128.0/24 \
@@ -199,7 +199,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 \
-p tcp '!' \
--destination 192.168.128.0/24 \
@@ -207,25 +207,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.150.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.150.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -233,13 +233,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 '!' \
--destination 192.168.150.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 \
-p udp '!' \
--destination 192.168.150.0/24 \
@@ -247,7 +247,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 \
-p tcp '!' \
--destination 192.168.150.0/24 \
@@ -255,19 +255,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
index e00c543487..cb0d908506 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -72,101 +72,101 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -174,13 +174,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -188,7 +188,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -196,25 +196,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args
b/tests/networkxml2firewalldata/nat-tftp-linux.args
index e0cfdcecf5..1243bd1c2d 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -72,71 +72,71 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 69 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -144,13 +144,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -158,7 +158,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -166,19 +166,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/route-default-linux.args
b/tests/networkxml2firewalldata/route-default-linux.args
index 5b8209af19..624e589aae 100644
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -72,70 +72,70 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \