[PATCH v6 3/3] nwfilter: add unit tests and test data for nwfilter nftables driver

1 Apr 2026

Add unit test files nwfilternftablestest.c and
nwfilterxml2nftfirewalltest.c, including data files in existing
nwfilterxml2firewalldata directory.

Tests follow same style and structure like the ebiptables driver
for nwfilter.

Signed-off-by: Dion Bosschieter <dionbosschieter@gmail.com>
---
 tests/meson.build                             |    2 +
 tests/nwfilternftablestest.c                  |  426 ++
 .../ah-ipv6-linux.nftables.args               |  298 ++
 .../ah-linux.nftables.args                    |  292 ++
 .../all-ipv6-linux.nftables.args              |  280 ++
 .../all-linux.nftables.args                   |  274 ++
 .../arp-linux.nftables.args                   |  285 ++
 .../comment-linux.nftables.args               |  502 +++
 .../conntrack-linux.nftables.args             |  190 +
 .../esp-ipv6-linux.nftables.args              |  298 ++
 .../esp-linux.nftables.args                   |  292 ++
 .../example-1-linux.nftables.args             |  252 ++
 .../example-2-linux.nftables.args             |  352 ++
 .../hex-data-linux.nftables.args              |  368 ++
 .../icmp-direction-linux.nftables.args        |  226 ++
 .../icmp-direction2-linux.nftables.args       |  226 ++
 .../icmp-direction3-linux.nftables.args       |  176 +
 .../icmp-linux.nftables.args                  |  248 ++
 .../icmpv6-linux.nftables.args                |  316 ++
 .../igmp-linux.nftables.args                  |  292 ++
 .../ip-linux.nftables.args                    |  199 +
 .../ipt-no-macspoof-linux.nftables.args       |  166 +
 .../ipv6-linux.nftables.args                  |  481 +++
 .../iter1-linux.nftables.args                 |  292 ++
 .../iter2-linux.nftables.args                 | 3532 +++++++++++++++++
 .../iter3-linux.nftables.args                 |  410 ++
 .../mac-linux.nftables.args                   |  176 +
 .../rarp-linux.nftables.args                  |  207 +
 .../sctp-ipv6-linux.nftables.args             |  316 ++
 .../sctp-linux.nftables.args                  |  316 ++
 .../stp-linux.nftables.args                   |  233 ++
 .../target-linux.nftables.args                |  454 +++
 .../target2-linux.nftables.args               |  302 ++
 .../tcp-ipv6-linux.nftables.args              |  316 ++
 .../tcp-linux.nftables.args                   |  452 +++
 .../udp-ipv6-linux.nftables.args              |  316 ++
 .../udp-linux.nftables.args                   |  316 ++
 .../udplite-ipv6-linux.nftables.args          |  298 ++
 .../udplite-linux.nftables.args               |  292 ++
 .../vlan-linux.nftables.args                  |  257 ++
 tests/nwfilterxml2nftfirewalltest.c           |  432 ++
 41 files changed, 15358 insertions(+)
 create mode 100644 tests/nwfilternftablestest.c
 create mode 100755 tests/nwfilterxml2firewalldata/ah-ipv6-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/ah-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/all-ipv6-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/all-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/arp-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/comment-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/conntrack-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/esp-ipv6-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/esp-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/example-1-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/example-2-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/hex-data-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/icmp-direction-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/icmp-direction2-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/icmp-direction3-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/icmp-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/icmpv6-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/igmp-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/ip-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/ipv6-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/iter1-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/iter2-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/iter3-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/mac-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/rarp-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/sctp-ipv6-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/sctp-linux.nftables.args
 create mode 100644 tests/nwfilterxml2firewalldata/stp-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/target-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/target2-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/tcp-ipv6-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/tcp-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/udp-ipv6-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/udp-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/udplite-ipv6-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/udplite-linux.nftables.args
 create mode 100755 tests/nwfilterxml2firewalldata/vlan-linux.nftables.args
 create mode 100644 tests/nwfilterxml2nftfirewalltest.c

diff --git a/tests/meson.build b/tests/meson.build
index 83aa0104bb..bcc446b5eb 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -444,7 +444,9 @@ endif
 if conf.has('WITH_NWFILTER')
   tests += [
     { 'name': 'nwfilterebiptablestest', 'link_with': [ nwfilter_driver_impl ] },
+    { 'name': 'nwfilternftablestest', 'link_with': [ nwfilter_driver_impl ] },
     { 'name': 'nwfilterxml2ebipfirewalltest', 'link_with': [ nwfilter_driver_impl ] },
+    { 'name': 'nwfilterxml2nftfirewalltest', 'link_with': [ nwfilter_driver_impl ] },
   ]
 endif
 
diff --git a/tests/nwfilternftablestest.c b/tests/nwfilternftablestest.c
new file mode 100644
index 0000000000..a2480ec971
--- /dev/null
+++ b/tests/nwfilternftablestest.c
@@ -0,0 +1,426 @@
+/*
+ * nwfilternftablestest.c: Test nftables rule generation
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <config.h>
+
+#include "testutils.h"
+#include "nwfilter/nwfilter_nftables_driver.h"
+#include "virbuffer.h"
+
+#define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW
+#include "vircommandpriv.h"
+
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+#define EXISTING_TABLE \
+    "table bridge %s { # handle 562\n" \
+    "    comment \"this table is managed by libvirt\"\n" \
+    "    map vmap-oif { # handle 1\n" \
+    "        type iface_index : verdict\n" \
+    "        elements = { \"vnet0\" : jump vnet0-in }\n" \
+    "    }\n" \
+    "\n" \
+    "    map vmap-iif { # handle 2\n" \
+    "        type iface_index : verdict\n" \
+    "        elements = { \"vnet0\" : jump vnet0-out }\n" \
+    "    }\n" \
+    "\n" \
+    "    chain postrouting { # handle 3\n" \
+    "        type filter hook postrouting priority 1; policy accept;\n" \
+    "        meta nftrace set 1 # handle 4\n" \
+    "        oif vmap @vmap-oif # handle 7\n" \
+    "    }\n" \
+    "\n" \
+    "    chain prerouting { # handle 5\n" \
+    "        type filter hook prerouting priority 1; policy accept;\n" \
+    "        meta nftrace set 1 # handle 6\n" \
+    "        iif vmap @vmap-iif # handle 8\n" \
+    "    }\n" \
+    "\n" \
+    "    chain n-vnet0-in { # handle 880\n" \
+    "        ether type ip jump vnet0-ipv4-in # handle 893\n" \
+    "        ether type ip6 jump vnet0-ipv6-in # handle 897\n" \
+    "    }\n" \
+    "\n" \
+    "    chain vnet0-in { # handle 880\n" \
+    "        ether type ip jump vnet0-ipv4-in # handle 893\n" \
+    "        ether type ip6 jump vnet0-ipv6-in # handle 897\n" \
+    "    }\n" \
+    "\n" \
+    "    chain vnet0-out { # handle 881\n" \
+    "        ip6 saddr 2a01:7c8:e100:1::78e2 tcp dport 465-465 ct direction original drop comment \"priority=100\" # handle 882\n" \
+    "        ip6 saddr 2a01:7c8:e100:1::78e2 tcp dport 587-587 ct direction original drop comment \"priority=100\" # handle 883\n" \
+    "        ip saddr 192.168.1.2 tcp dport 25-25 ct direction original drop comment \"priority=100\" # handle 884\n" \
+    "        ip saddr 192.168.1.2 tcp dport 587-587 ct direction original drop comment \"priority=100\" # handle 885\n" \
+    "        ether type ip tcp dport 25-25 ct direction original drop comment \"priority=100\" # handle 886\n" \
+    "        ether type ip6 tcp dport 25-25 ct direction original drop comment \"priority=100\" # handle 887\n" \
+    "        ip6 daddr 2a01:7c8:e100:1::78e2 tcp dport 465-465 ct direction original accept comment \"priority=100\" # handle 888\n" \
+    "        ip6 saddr 2a01:7c8:e100:1::78e2 udp dport 587-587 ct direction original drop comment \"priority=100\" # handle 889\n" \
+    "        ip saddr 192.168.1.2 udp dport 25-25 ct direction original continue comment \"priority=100\" # handle 890\n" \
+    "        ether type ip ct direction original continue comment \"priority=100\" # handle 891\n" \
+    "        ether type ip jump vnet0-ipv4-out # handle 895\n" \
+    "        ether type ip6 jump vnet0-ipv6-out # handle 899\n" \
+    "    }\n" \
+    "\n" \
+    "    chain vnet0-ipv4-in { # handle 892\n" \
+    "        ip saddr 192.168.1.1 tcp dport 4444 ct direction reply ct state established,new accept comment \"priority=302\" # handle 902\n" \
+    "        ether type ip meta l4proto tcp ct direction reply drop comment \"priority=601\" # handle 904\n" \
+    "        ether type ip meta l4proto udp ct direction reply drop comment \"priority=603\" # handle 905\n" \
+    "    }\n" \
+    "\n" \
+    "    chain vnet0-ipv4-out { # handle 894\n" \
+    "        ip protocol icmp ct count over 42 drop comment \"priority=400\" # handle 903\n" \
+    "    }\n" \
+    "\n" \
+    "    chain vnet0-ipv6-in { # handle 896\n" \
+    "        ip6 daddr fe80::5054:ff:fe60:baae udp sport 547 udp dport 546 ct direction reply accept comment \"priority=111\" # handle 901\n" \
+    "    }\n" \
+    "\n" \
+    "    chain vnet0-ipv6-out { # handle 898\n" \
+    "        ip6 saddr fe80::5054:ff:fe60:baae ip6 daddr ff02::1:2 udp sport 546 udp dport 547 ct direction original accept comment \"priority=110\" # handle 900\n" \
+    "    }\n" \
+    "}\n"
+
+#define OLD_REMOVES \
+    "nft -a list table bridge libvirt_nwfilter_ethernet\n" \
+    "nft -a list table bridge libvirt_nwfilter_inet\n" \
+    "nft delete element bridge libvirt_nwfilter_ethernet vmap-oif '{' '\"vnet0\"' '}'\n" \
+    "nft delete element bridge libvirt_nwfilter_ethernet vmap-iif '{' '\"vnet0\"' '}'\n" \
+    "nft delete chain bridge libvirt_nwfilter_ethernet vnet0-in\n" \
+    "nft delete chain bridge libvirt_nwfilter_ethernet vnet0-out\n" \
+    "nft delete chain bridge libvirt_nwfilter_ethernet vnet0-ipv4-in\n" \
+    "nft delete chain bridge libvirt_nwfilter_ethernet vnet0-ipv4-out\n" \
+    "nft delete chain bridge libvirt_nwfilter_ethernet vnet0-ipv6-in\n" \
+    "nft delete chain bridge libvirt_nwfilter_ethernet vnet0-ipv6-out\n" \
+    "nft delete element bridge libvirt_nwfilter_inet vmap-oif '{' '\"vnet0\"' '}'\n" \
+    "nft delete element bridge libvirt_nwfilter_inet vmap-iif '{' '\"vnet0\"' '}'\n" \
+    "nft delete chain bridge libvirt_nwfilter_inet vnet0-in\n" \
+    "nft delete chain bridge libvirt_nwfilter_inet vnet0-out\n" \
+    "nft delete chain bridge libvirt_nwfilter_inet vnet0-ipv4-in\n" \
+    "nft delete chain bridge libvirt_nwfilter_inet vnet0-ipv4-out\n" \
+    "nft delete chain bridge libvirt_nwfilter_inet vnet0-ipv6-in\n" \
+    "nft delete chain bridge libvirt_nwfilter_inet vnet0-ipv6-out\n"
+
+static void
+testCommandDryRunCallback(const char *const*args,
+                          const char *const*env G_GNUC_UNUSED,
+                          const char *input G_GNUC_UNUSED,
+                          char **output,
+                          char **error G_GNUC_UNUSED,
+                          int *status,
+                          void *opaque G_GNUC_UNUSED)
+{
+    size_t argc = 0;
+    const char *table;
+
+    while (args[argc] != NULL)
+        argc++;
+
+    if (STRNEQ(args[0], "nft")) {
+        *status = EXIT_FAILURE;
+        return;
+    }
+
+    /* simulate an empty existing set rules */
+    if (argc == 6 && STREQ(args[1], "-a") && STREQ(args[2], "list")) {
+        table = args[argc-1];
+        *output = g_strdup_printf(EXISTING_TABLE, table);
+        *status = EXIT_SUCCESS;
+    }
+}
+
+
+static int
+testNWFilterNFTablesAllTeardown(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected = OLD_REMOVES;
+    g_autofree char *actual = NULL;
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.allTeardown("vnet0") < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+testNWFilterNFTablesTearOldRules(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected =
+        "nft -a list table bridge libvirt_nwfilter_ethernet\n"
+        "nft -a list table bridge libvirt_nwfilter_inet\n"
+        OLD_REMOVES
+        "nft rename chain bridge libvirt_nwfilter_ethernet n-vnet0-in vnet0-in\n"
+        "nft rename chain bridge libvirt_nwfilter_inet n-vnet0-in vnet0-in\n";
+    g_autofree char *actual = NULL;
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.tearOldRules("vnet0") < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+testNWFilterNFTablesRemoveBasicRules(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected = OLD_REMOVES;
+    g_autofree char *actual = NULL;
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.removeBasicRules("vnet0") < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+testNWFilterNFTablesTearNewRules(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected =
+        "nft -a list table bridge libvirt_nwfilter_ethernet\n"
+        "nft -a list table bridge libvirt_nwfilter_inet\n"\
+        "nft delete chain bridge libvirt_nwfilter_ethernet n-vnet0-in\n"
+        "nft delete chain bridge libvirt_nwfilter_inet n-vnet0-in\n";
+    g_autofree char *actual = NULL;
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.tearNewRules("vnet0") < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+testNWFilterNFTablesApplyBasicRules(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected =
+        "nft list tables\n"
+        OLD_REMOVES
+        "nft add chain bridge libvirt_nwfilter_ethernet vnet0-in '{ }'\n"
+        "nft add chain bridge libvirt_nwfilter_inet vnet0-in '{ }'\n"
+        "nft add chain bridge libvirt_nwfilter_ethernet vnet0-out '{ }'\n"
+        "nft add chain bridge libvirt_nwfilter_inet vnet0-out '{ }'\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out ether saddr '!=' 10:20:30:40:50:60 drop\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out ether type ip accept\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out ether type arp accept\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out accept\n"
+        "nft delete element bridge libvirt_nwfilter_inet vmap-oif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt_nwfilter_inet vmap-oif '{' vnet0 : jump vnet0-in '}'\n"
+        "nft delete element bridge libvirt_nwfilter_ethernet vmap-oif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt_nwfilter_ethernet vmap-oif '{' vnet0 : jump vnet0-in '}'\n"
+        "nft delete element bridge libvirt_nwfilter_inet vmap-iif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt_nwfilter_inet vmap-iif '{' vnet0 : jump vnet0-out '}'\n"
+        "nft delete element bridge libvirt_nwfilter_ethernet vmap-iif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt_nwfilter_ethernet vmap-iif '{' vnet0 : jump vnet0-out '}'\n";
+    g_autofree char *actual = NULL;
+    virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.applyBasicRules("vnet0", &mac) < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+testNWFilterNFTablesApplyDHCPOnlyRules(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected =
+        "nft list tables\n"
+        OLD_REMOVES
+        "nft add chain bridge libvirt_nwfilter_ethernet vnet0-in '{ }'\n"
+        "nft add chain bridge libvirt_nwfilter_inet vnet0-in '{ }'\n"
+        "nft add chain bridge libvirt_nwfilter_ethernet vnet0-out '{ }'\n"
+        "nft add chain bridge libvirt_nwfilter_inet vnet0-out '{ }'\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out ether saddr 10:20:30:40:50:60 ether type ip udp sport 68 udp dport 67 accept\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out drop\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in ether daddr 10:20:30:40:50:60 ether type ip ip saddr 192.168.122.1 udp sport 67 udp dport 68 accept\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in ether daddr ff:ff:ff:ff:ff:ff ether type ip ip saddr 192.168.122.1 udp sport 67 udp dport 68 accept\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in ether daddr 10:20:30:40:50:60 ether type ip ip saddr 10.0.0.1 udp sport 67 udp dport 68 accept\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in ether daddr ff:ff:ff:ff:ff:ff ether type ip ip saddr 10.0.0.1 udp sport 67 udp dport 68 accept\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in ether daddr 10:20:30:40:50:60 ether type ip ip saddr 10.0.0.2 udp sport 67 udp dport 68 accept\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in ether daddr ff:ff:ff:ff:ff:ff ether type ip ip saddr 10.0.0.2 udp sport 67 udp dport 68 accept\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in drop\n"
+        "nft delete element bridge libvirt_nwfilter_inet vmap-oif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt_nwfilter_inet vmap-oif '{' vnet0 : jump vnet0-in '}'\n"
+        "nft delete element bridge libvirt_nwfilter_ethernet vmap-oif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt_nwfilter_ethernet vmap-oif '{' vnet0 : jump vnet0-in '}'\n"
+        "nft delete element bridge libvirt_nwfilter_inet vmap-iif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt_nwfilter_inet vmap-iif '{' vnet0 : jump vnet0-out '}'\n"
+        "nft delete element bridge libvirt_nwfilter_ethernet vmap-iif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt_nwfilter_ethernet vmap-iif '{' vnet0 : jump vnet0-out '}'\n";
+    g_autofree char *actual = NULL;
+    virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
+    const char *servers[] = { "192.168.122.1", "10.0.0.1", "10.0.0.2" };
+    virNWFilterVarValue val = {
+        .valType = NWFILTER_VALUE_TYPE_ARRAY,
+        .u = {
+            .array = {
+                .values = (char **)servers,
+                .nValues = 3,
+            }
+        }
+    };
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.applyDHCPOnlyRules("vnet0", &mac, &val, false) < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+
+static int
+testNWFilterNFTablesApplyDropAllRules(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected =
+        "nft list tables\n"
+        OLD_REMOVES
+        "nft add chain bridge libvirt_nwfilter_ethernet vnet0-in '{ }'\n"
+        "nft add chain bridge libvirt_nwfilter_inet vnet0-in '{ }'\n"
+        "nft add chain bridge libvirt_nwfilter_ethernet vnet0-out '{ }'\n"
+        "nft add chain bridge libvirt_nwfilter_inet vnet0-out '{ }'\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out drop\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in drop\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet postrouting oifname vnet0 jump vnet0-in\n"
+        "nft add rule bridge libvirt_nwfilter_ethernet prerouting iifname vnet0 jump vnet0-out\n";
+    g_autofree char *actual = NULL;
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.applyDropAllRules("vnet0") < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+mymain(void)
+{
+    int ret = 0;
+
+    if (virTestRun("nftablesAllTeardown",
+                   testNWFilterNFTablesAllTeardown,
+                   NULL) < 0)
+        ret = -1;
+
+    if (virTestRun("nftablesTearOldRules",
+                   testNWFilterNFTablesTearOldRules,
+                   NULL) < 0)
+        ret = -1;
+
+    if (virTestRun("nftablesRemoveBasicRules",
+                   testNWFilterNFTablesRemoveBasicRules,
+                   NULL) < 0)
+        ret = -1;
+
+    if (virTestRun("nftablesTearNewRules",
+                   testNWFilterNFTablesTearNewRules,
+                   NULL) < 0)
+        ret = -1;
+
+    if (virTestRun("nftablesApplyBasicRules",
+                   testNWFilterNFTablesApplyBasicRules,
+                   NULL) < 0)
+        ret = -1;
+
+    if (virTestRun("nftablesApplyDHCPOnlyRules",
+                   testNWFilterNFTablesApplyDHCPOnlyRules,
+                   NULL) < 0)
+        ret = -1;
+
+    if (virTestRun("nftablesApplyDropAllRules",
+                   testNWFilterNFTablesApplyDropAllRules,
+                   NULL) < 0)
+        ret = -1;
+
+    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virfirewall"))
diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.nftables.args b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.nftables.args
new file mode 100755
index 0000000000..702614bac9
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.nftables.args
@@ -0,0 +1,298 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+f:e:d::c:b:a/127 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+f:e:d::c:b:a/127 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/ah-linux.nftables.args b/tests/nwfilterxml2firewalldata/ah-linux.nftables.args
new file mode 100755
index 0000000000..2e123974b7
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ah-linux.nftables.args
@@ -0,0 +1,292 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+ah \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+ah \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+ah \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+ah \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+ah \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+ah \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/all-ipv6-linux.nftables.args b/tests/nwfilterxml2firewalldata/all-ipv6-linux.nftables.args
new file mode 100755
index 0000000000..f0fd014554
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.nftables.args
@@ -0,0 +1,280 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+f:e:d::c:b:a/127 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+f:e:d::c:b:a/127 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/all-linux.nftables.args b/tests/nwfilterxml2firewalldata/all-linux.nftables.args
new file mode 100755
index 0000000000..b4e98c21de
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/all-linux.nftables.args
@@ -0,0 +1,274 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/arp-linux.nftables.args b/tests/nwfilterxml2firewalldata/arp-linux.nftables.args
new file mode 100755
index 0000000000..9bad9955ac
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/arp-linux.nftables.args
@@ -0,0 +1,285 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x806 \
+arp \
+htype \
+12 \
+arp \
+ptype \
+0x22 \
+arp \
+operation \
+1 \
+arp \
+saddr \
+ether \
+01:02:03:04:05:06 \
+arp \
+daddr \
+ether \
+0a:0b:0c:0d:0e:0f \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x806 \
+arp \
+htype \
+255 \
+arp \
+ptype \
+0xff \
+arp \
+operation \
+1 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x806 \
+arp \
+htype \
+256 \
+arp \
+ptype \
+0x100 \
+arp \
+operation \
+11 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x806 \
+arp \
+htype \
+65535 \
+arp \
+ptype \
+0xffff \
+arp \
+operation \
+65535 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+type \
+0x806 \
+arp \
+saddr \
+ip \
+'&' \
+255.0.0.0 \
+. \
+arp \
+daddr \
+ip \
+'&' \
+255.0.0.0 \
+== \
+@same-ip-set \
+arp \
+saddr \
+ip \
+'&' \
+0.255.0.0 \
+. \
+arp \
+daddr \
+ip \
+'&' \
+0.255.0.0 \
+== \
+@same-ip-set \
+arp \
+saddr \
+ip \
+'&' \
+0.0.255.0 \
+. \
+arp \
+daddr \
+ip \
+'&' \
+0.0.255.0 \
+== \
+@same-ip-set \
+arp \
+saddr \
+ip \
+'&' \
+0.0.0.255 \
+. \
+arp \
+daddr \
+ip \
+'&' \
+0.0.0.255 \
+== \
+@same-ip-set \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/comment-linux.nftables.args b/tests/nwfilterxml2firewalldata/comment-linux.nftables.args
new file mode 100755
index 0000000000..f19f865fd8
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/comment-linux.nftables.args
@@ -0,0 +1,502 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+type \
+0x1234 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+protocol \
+17 \
+th \
+sport \
+291-564 \
+th \
+dport \
+13398-17767 \
+ip \
+dscp \
+0x32 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:fe == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:80 == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/22 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/113 \
+ip6 \
+nexthdr \
+6 \
+th \
+sport \
+273-400 \
+th \
+dport \
+13107-65535 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x806 \
+arp \
+htype \
+18 \
+arp \
+ptype \
+0x56 \
+arp \
+operation \
+1 \
+arp \
+saddr \
+ether \
+01:02:03:04:05:06 \
+arp \
+daddr \
+ether \
+0a:0b:0c:0d:0e:0f \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+34 \
+udp \
+dport \
+564-1092 \
+udp \
+sport \
+291-400 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"usercomment=udp rule"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+34 \
+udp \
+sport \
+564-1092 \
+udp \
+dport \
+291-400 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"usercomment=udp rule"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+57 \
+tcp \
+dport \
+256-4369 \
+tcp \
+sport \
+32-33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"usercomment=tcp/ipv6 rule"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+57 \
+tcp \
+sport \
+256-4369 \
+tcp \
+dport \
+32-33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"usercomment=tcp/ipv6 rule"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"usercomment=`ls`;${COLUMNS};$(ls);'\''test'\'';&'\''3   spaces'\''"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"usercomment=`ls`;${COLUMNS};$(ls);'\''test'\'';&'\''3   spaces'\''"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"usercomment=comment with lone '\'', `, '\'', `, \, $x, and two  spaces"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"usercomment=comment with lone '\'', `, '\'', `, \, $x, and two  spaces"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"usercomment=tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"usercomment=tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/conntrack-linux.nftables.args b/tests/nwfilterxml2firewalldata/conntrack-linux.nftables.args
new file mode 100755
index 0000000000..46a3ec7f25
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/conntrack-linux.nftables.args
@@ -0,0 +1,190 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+count \
+over \
+1 \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ct \
+count \
+over \
+2 \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.nftables.args b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.nftables.args
new file mode 100755
index 0000000000..184d0d2ae5
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.nftables.args
@@ -0,0 +1,298 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+esp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+f:e:d::c:b:a/127 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+esp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+f:e:d::c:b:a/127 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+esp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+esp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+esp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+esp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/esp-linux.nftables.args b/tests/nwfilterxml2firewalldata/esp-linux.nftables.args
new file mode 100755
index 0000000000..fc1df1f3bb
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/esp-linux.nftables.args
@@ -0,0 +1,292 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+esp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+esp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+esp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+esp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+esp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+esp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/example-1-linux.nftables.args b/tests/nwfilterxml2firewalldata/example-1-linux.nftables.args
new file mode 100755
index 0000000000..a501a4fa50
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/example-1-linux.nftables.args
@@ -0,0 +1,252 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+dport \
+22 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+sport \
+22 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/example-2-linux.nftables.args b/tests/nwfilterxml2firewalldata/example-2-linux.nftables.args
new file mode 100755
index 0000000000..e8a082dc74
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/example-2-linux.nftables.args
@@ -0,0 +1,352 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ct \
+direction \
+original \
+ct \
+state \
+established,related \
+accept \
+comment \
+'"usercomment=out: existing and related (ftp) connections"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ct \
+direction \
+reply \
+ct \
+state \
+established,related \
+accept \
+comment \
+'"usercomment=out: existing and related (ftp) connections"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ct \
+direction \
+original \
+ct \
+state \
+established \
+accept \
+comment \
+'"usercomment=in: existing connections"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"usercomment=in: existing connections"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+dport \
+21-22 \
+ct \
+direction \
+original \
+ct \
+state \
+new \
+accept \
+comment \
+'"usercomment=in: ftp and ssh"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+sport \
+21-22 \
+ct \
+direction \
+reply \
+ct \
+state \
+new \
+accept \
+comment \
+'"usercomment=in: ftp and ssh"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+state \
+new \
+accept \
+comment \
+'"usercomment=in: icmp"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+state \
+new \
+accept \
+comment \
+'"usercomment=in: icmp"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+udp \
+dport \
+53 \
+ct \
+direction \
+original \
+ct \
+state \
+new \
+accept \
+comment \
+'"usercomment=out: DNS lookups"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+udp \
+sport \
+53 \
+ct \
+direction \
+reply \
+ct \
+state \
+new \
+accept \
+comment \
+'"usercomment=out: DNS lookups"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+drop \
+comment \
+'"usercomment=inout: drop all non-accepted traffic"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+drop \
+comment \
+'"usercomment=inout: drop all non-accepted traffic"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/hex-data-linux.nftables.args b/tests/nwfilterxml2firewalldata/hex-data-linux.nftables.args
new file mode 100755
index 0000000000..b41d7811bb
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/hex-data-linux.nftables.args
@@ -0,0 +1,368 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+type \
+0x1234 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+protocol \
+17 \
+th \
+sport \
+291-564 \
+th \
+dport \
+13398-17767 \
+ip \
+dscp \
+0x32 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:fe == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:80 == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/22 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/113 \
+ip6 \
+nexthdr \
+6 \
+th \
+sport \
+273-400 \
+th \
+dport \
+13107-65535 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x806 \
+arp \
+htype \
+18 \
+arp \
+ptype \
+0x56 \
+arp \
+operation \
+1 \
+arp \
+saddr \
+ether \
+01:02:03:04:05:06 \
+arp \
+daddr \
+ether \
+0a:0b:0c:0d:0e:0f \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+34 \
+udp \
+dport \
+564-1092 \
+udp \
+sport \
+291-400 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+34 \
+udp \
+sport \
+564-1092 \
+udp \
+dport \
+291-400 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+57 \
+tcp \
+dport \
+256-4369 \
+tcp \
+sport \
+32-33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+57 \
+tcp \
+sport \
+256-4369 \
+tcp \
+dport \
+32-33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction-linux.nftables.args b/tests/nwfilterxml2firewalldata/icmp-direction-linux.nftables.args
new file mode 100755
index 0000000000..4202de5e0f
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction-linux.nftables.args
@@ -0,0 +1,226 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+0 \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+0 \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+8 \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+8 \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.nftables.args b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.nftables.args
new file mode 100755
index 0000000000..50ba9b7ebf
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.nftables.args
@@ -0,0 +1,226 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+8 \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+8 \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+0 \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+0 \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.nftables.args b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.nftables.args
new file mode 100755
index 0000000000..5483994207
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.nftables.args
@@ -0,0 +1,176 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/icmp-linux.nftables.args b/tests/nwfilterxml2firewalldata/icmp-linux.nftables.args
new file mode 100755
index 0000000000..e436fc0acf
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-linux.nftables.args
@@ -0,0 +1,248 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+icmp \
+type \
+12 \
+icmp \
+code \
+11 \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+icmp \
+type \
+12 \
+icmp \
+code \
+11 \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+icmp \
+type \
+255 \
+icmp \
+code \
+255 \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+icmp \
+type \
+255 \
+icmp \
+code \
+255 \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/icmpv6-linux.nftables.args b/tests/nwfilterxml2firewalldata/icmpv6-linux.nftables.args
new file mode 100755
index 0000000000..aeae3dd3e7
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmpv6-linux.nftables.args
@@ -0,0 +1,316 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+nexthdr \
+icmpv6 \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+f:e:d::c:b:a/127 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+icmpv6 \
+type \
+12 \
+icmpv6 \
+code \
+11 \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+nexthdr \
+icmpv6 \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+f:e:d::c:b:a/127 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+icmpv6 \
+type \
+12 \
+icmpv6 \
+code \
+11 \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+nexthdr \
+icmpv6 \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+icmpv6 \
+type \
+255 \
+icmpv6 \
+code \
+255 \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+nexthdr \
+icmpv6 \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+icmpv6 \
+type \
+255 \
+icmpv6 \
+code \
+255 \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+nexthdr \
+icmpv6 \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+icmpv6 \
+type \
+255 \
+icmpv6 \
+code \
+255 \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+nexthdr \
+icmpv6 \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+icmpv6 \
+type \
+255 \
+icmpv6 \
+code \
+255 \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/igmp-linux.nftables.args b/tests/nwfilterxml2firewalldata/igmp-linux.nftables.args
new file mode 100755
index 0000000000..f148504685
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/igmp-linux.nftables.args
@@ -0,0 +1,292 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+igmp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+igmp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+igmp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+igmp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+igmp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+igmp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/ip-linux.nftables.args b/tests/nwfilterxml2firewalldata/ip-linux.nftables.args
new file mode 100755
index 0000000000..eee7a4b4af
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ip-linux.nftables.args
@@ -0,0 +1,199 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+protocol \
+17 \
+th \
+sport \
+20-22 \
+th \
+dport \
+100-101 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+saddr \
+10.1.2.3/17 \
+ip \
+daddr \
+10.1.2.3/24 \
+ip \
+protocol \
+17 \
+ip \
+dscp \
+0x3f \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+saddr \
+10.1.2.3/31 \
+ip \
+daddr \
+10.1.2.3/25 \
+ip \
+protocol \
+255 \
+ip \
+dscp \
+0x3f \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.nftables.args b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.nftables.args
new file mode 100755
index 0000000000..0611160fc8
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.nftables.args
@@ -0,0 +1,166 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ether \
+saddr \
+'!=' \
+12:34:56:78:9a:bc \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+'!=' \
+12:34:56:78:9a:bc \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ether \
+saddr \
+'!=' \
+aa:aa:aa:aa:aa:aa \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/ipv6-linux.nftables.args b/tests/nwfilterxml2firewalldata/ipv6-linux.nftables.args
new file mode 100755
index 0000000000..1f933bdc57
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipv6-linux.nftables.args
@@ -0,0 +1,481 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:fe == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:80 == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/22 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/113 \
+ip6 \
+nexthdr \
+17 \
+th \
+sport \
+20-22 \
+th \
+dport \
+100-101 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+6 \
+th \
+sport \
+20-22 \
+th \
+dport \
+100-101 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+6 \
+th \
+dport \
+20-22 \
+th \
+sport \
+100-101 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+6 \
+th \
+sport \
+255-256 \
+th \
+dport \
+65535-65535 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+6 \
+th \
+dport \
+255-256 \
+th \
+sport \
+65535-65535 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+18 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+18 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+58 \
+icmpv6 \
+type \
+1 \
+icmpv6 \
+code \
+10 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+58 \
+icmpv6 \
+type \
+1 \
+icmpv6 \
+code \
+10 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+58 \
+icmpv6 \
+type \
+1 \
+icmpv6 \
+code \
+10 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+58 \
+icmpv6 \
+type \
+1 \
+icmpv6 \
+code \
+10 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+58 \
+icmpv6 \
+code \
+10 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+58 \
+icmpv6 \
+code \
+10 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+58 \
+icmpv6 \
+type \
+1 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+ip6 \
+nexthdr \
+58 \
+icmpv6 \
+type \
+1 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/iter1-linux.nftables.args b/tests/nwfilterxml2firewalldata/iter1-linux.nftables.args
new file mode 100755
index 0000000000..8c62640e95
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter1-linux.nftables.args
@@ -0,0 +1,292 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+2 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+2 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+2 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+2 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/iter2-linux.nftables.args b/tests/nwfilterxml2firewalldata/iter2-linux.nftables.args
new file mode 100755
index 0000000000..aa81c7a357
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter2-linux.nftables.args
@@ -0,0 +1,3532 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+1 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+1 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+1 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+1 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+1 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+1 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+2 \
+udp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+2 \
+udp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+udp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+udp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+2 \
+udp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+2 \
+udp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+2 \
+udp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+2 \
+udp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+udp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+udp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+2 \
+udp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+2 \
+udp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+sctp \
+dport \
+1080 \
+sctp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+sctp \
+sport \
+1080 \
+sctp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+sctp \
+dport \
+1080 \
+sctp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+sctp \
+sport \
+1080 \
+sctp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+sctp \
+dport \
+1080 \
+sctp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+sctp \
+sport \
+1080 \
+sctp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+sctp \
+dport \
+1090 \
+sctp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+sctp \
+sport \
+1090 \
+sctp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+sctp \
+dport \
+1090 \
+sctp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+sctp \
+sport \
+1090 \
+sctp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+sctp \
+dport \
+1090 \
+sctp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+sctp \
+sport \
+1090 \
+sctp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+sctp \
+dport \
+1100 \
+sctp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+sctp \
+sport \
+1100 \
+sctp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+sctp \
+dport \
+1100 \
+sctp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+sctp \
+sport \
+1100 \
+sctp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+sctp \
+dport \
+1100 \
+sctp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+sctp \
+sport \
+1100 \
+sctp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+sctp \
+dport \
+1110 \
+sctp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+sctp \
+sport \
+1110 \
+sctp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+sctp \
+dport \
+1110 \
+sctp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+sctp \
+sport \
+1110 \
+sctp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+sctp \
+dport \
+1110 \
+sctp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+sctp \
+sport \
+1110 \
+sctp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1080 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1080 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1080 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1080 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1080 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1080 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1080 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1080 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1080 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1080 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1080 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1080 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1090 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1090 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1090 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1090 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1090 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1090 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1090 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1090 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1090 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1090 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1090 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1090 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1100 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1100 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1100 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1100 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1100 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1100 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1100 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1100 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1100 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1100 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1100 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1100 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1110 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1110 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1110 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1110 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1110 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1110 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1110 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1110 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1110 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1110 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+dport \
+1110 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+tcp \
+sport \
+1110 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+6 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+6 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+6 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+6 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+6 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+6 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/iter3-linux.nftables.args b/tests/nwfilterxml2firewalldata/iter3-linux.nftables.args
new file mode 100755
index 0000000000..6c5b4cfd7d
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter3-linux.nftables.args
@@ -0,0 +1,410 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+1 \
+tcp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+1 \
+tcp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+1 \
+tcp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+1 \
+tcp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+udp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+udp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+udp \
+sport \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+udp \
+dport \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+sctp \
+dport \
+1100 \
+sctp \
+sport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+sctp \
+sport \
+1100 \
+sctp \
+dport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/mac-linux.nftables.args b/tests/nwfilterxml2firewalldata/mac-linux.nftables.args
new file mode 100755
index 0000000000..81eac763af
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/mac-linux.nftables.args
@@ -0,0 +1,176 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x806 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x800 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x600 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0xffff \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/rarp-linux.nftables.args b/tests/nwfilterxml2firewalldata/rarp-linux.nftables.args
new file mode 100755
index 0000000000..015c1d6c74
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/rarp-linux.nftables.args
@@ -0,0 +1,207 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8035 \
+@nh,0,16 \
+0xc \
+@nh,40,16 \
+0x22 \
+@nh,48,16 \
+0x1 \
+@nh,64,48 \
+0x010203040506 \
+@nh,144,48 \
+0x0a0b0c0d0e0f \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x8035 \
+@nh,0,16 \
+0xff \
+@nh,40,16 \
+0xff \
+@nh,48,16 \
+0x1 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x8035 \
+@nh,0,16 \
+0x100 \
+@nh,40,16 \
+0x100 \
+@nh,48,16 \
+0xb \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x8035 \
+@nh,0,16 \
+0xffff \
+@nh,40,16 \
+0xffff \
+@nh,48,16 \
+0xffff \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.nftables.args b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.nftables.args
new file mode 100755
index 0000000000..6be5973e7e
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.nftables.args
@@ -0,0 +1,316 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+sctp \
+dport \
+100-1111 \
+sctp \
+sport \
+20-21 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+sctp \
+sport \
+100-1111 \
+sctp \
+dport \
+20-21 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+63 \
+sctp \
+dport \
+65535-65535 \
+sctp \
+sport \
+255-256 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+63 \
+sctp \
+sport \
+65535-65535 \
+sctp \
+dport \
+255-256 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/sctp-linux.nftables.args b/tests/nwfilterxml2firewalldata/sctp-linux.nftables.args
new file mode 100755
index 0000000000..b414d05022
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/sctp-linux.nftables.args
@@ -0,0 +1,316 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+33 \
+sctp \
+dport \
+100-1111 \
+sctp \
+sport \
+20-21 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+33 \
+sctp \
+sport \
+100-1111 \
+sctp \
+dport \
+20-21 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+63 \
+sctp \
+dport \
+65535-65535 \
+sctp \
+sport \
+255-256 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+63 \
+sctp \
+sport \
+65535-65535 \
+sctp \
+dport \
+255-256 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/stp-linux.nftables.args b/tests/nwfilterxml2firewalldata/stp-linux.nftables.args
new file mode 100644
index 0000000000..4dabd3cbc2
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/stp-linux.nftables.args
@@ -0,0 +1,233 @@
+nft \
+add \
+chain \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-stp-xyz-in \
+'{ }'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+daddr \
+01:80:c2:00:00:00 \
+jump \
+n-vnet0-stp-xyz-in
+nft \
+add \
+chain \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-stp-xyz-out \
+'{ }'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+daddr \
+01:80:c2:00:00:00 \
+jump \
+n-vnet0-stp-xyz-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-stp-xyz-in \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+01:80:c2:00:00:00 \
+@nh,48,8 \
+0x12 \
+@nh,56,8 \
+0x44 \
+continue
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-stp-xyz-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+01:80:c2:00:00:00 \
+@nh,64,16 \
+'!=' \
+0x1234-0x2345 \
+@nh,80,48 \
+'&' \
+0x060504030201 \
+0x060504030201 \
+@nh,128,32 \
+'!=' \
+0x11223344-0x22334455 \
+return
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-stp-xyz-in \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+01:80:c2:00:00:00 \
+@nh,160,16 \
+'!=' \
+0x1234 \
+@nh,176,48 \
+0x060504030201 \
+@nh,224,16 \
+'!=' \
+0x7b-0xea \
+@nh,240,16 \
+'!=' \
+0x15a8-0x15b3 \
+@nh,256,16 \
+'!=' \
+0x1e61-0x22b8 \
+@nh,272,16 \
+'!=' \
+0x3039-0x303a \
+@nh,288,16 \
+'!=' \
+0xd431-0xff98 \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/target-linux.nftables.args b/tests/nwfilterxml2firewalldata/target-linux.nftables.args
new file mode 100755
index 0000000000..fa323e8b58
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/target-linux.nftables.args
@@ -0,0 +1,454 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"usercomment=accept rule -- dir out"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"usercomment=accept rule -- dir out"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+drop \
+comment \
+'"usercomment=drop rule   -- dir out"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+drop \
+comment \
+'"usercomment=reject rule -- dir out"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"usercomment=accept rule -- dir in"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"usercomment=accept rule -- dir in"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+drop \
+comment \
+'"usercomment=drop rule   -- dir in"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+drop \
+comment \
+'"usercomment=reject rule -- dir in"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"usercomment=accept rule -- dir inout"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"usercomment=accept rule -- dir inout"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+drop \
+comment \
+'"usercomment=drop   rule -- dir inout"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+drop \
+comment \
+'"usercomment=reject rule -- dir inout"'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x806 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x806 \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x806 \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x800 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x800 \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x800 \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/target2-linux.nftables.args b/tests/nwfilterxml2firewalldata/target2-linux.nftables.args
new file mode 100755
index 0000000000..04cc52c06f
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/target2-linux.nftables.args
@@ -0,0 +1,302 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+dport \
+22 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+sport \
+22 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+sport \
+22 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+dport \
+22 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+dport \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+sport \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.nftables.args b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.nftables.args
new file mode 100755
index 0000000000..1d7c8e844a
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.nftables.args
@@ -0,0 +1,316 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+tcp \
+dport \
+100-1111 \
+tcp \
+sport \
+20-21 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+tcp \
+sport \
+100-1111 \
+tcp \
+dport \
+20-21 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+63 \
+tcp \
+dport \
+65535-65535 \
+tcp \
+sport \
+255-256 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+63 \
+tcp \
+sport \
+65535-65535 \
+tcp \
+dport \
+255-256 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/tcp-linux.nftables.args b/tests/nwfilterxml2firewalldata/tcp-linux.nftables.args
new file mode 100755
index 0000000000..770fc7bb0c
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/tcp-linux.nftables.args
@@ -0,0 +1,452 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+33 \
+tcp \
+dport \
+100-1111 \
+tcp \
+sport \
+20-21 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+63 \
+tcp \
+dport \
+65535-65535 \
+tcp \
+sport \
+255-256 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+syn \
+== \
+'{' \
+'*' \
+'}' \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+syn \
+== \
+'{' \
+'*' \
+'}' \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+syn \
+== \
+'{' \
+syn,ack \
+'}' \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+syn \
+== \
+'{' \
+syn,ack \
+'}' \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+rst \
+== \
+'{' \
+0 \
+'}' \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+rst \
+== \
+'{' \
+0 \
+'}' \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+psh \
+== \
+'{' \
+0 \
+'}' \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+psh \
+== \
+'{' \
+0 \
+'}' \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.nftables.args b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.nftables.args
new file mode 100755
index 0000000000..476e38c4f2
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.nftables.args
@@ -0,0 +1,316 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::a:b:c/128 \
+ip6 \
+dscp \
+33 \
+udp \
+dport \
+100-1111 \
+udp \
+sport \
+20-21 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::a:b:c/128 \
+ip6 \
+dscp \
+33 \
+udp \
+sport \
+100-1111 \
+udp \
+dport \
+20-21 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+63 \
+udp \
+dport \
+65535-65535 \
+udp \
+sport \
+255-256 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+63 \
+udp \
+sport \
+65535-65535 \
+udp \
+dport \
+255-256 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/udp-linux.nftables.args b/tests/nwfilterxml2firewalldata/udp-linux.nftables.args
new file mode 100755
index 0000000000..641a60df0c
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udp-linux.nftables.args
@@ -0,0 +1,316 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+33 \
+udp \
+dport \
+100-1111 \
+udp \
+sport \
+20-21 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+33 \
+udp \
+sport \
+100-1111 \
+udp \
+dport \
+20-21 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+63 \
+udp \
+dport \
+65535-65535 \
+udp \
+sport \
+255-256 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+63 \
+udp \
+sport \
+65535-65535 \
+udp \
+dport \
+255-256 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.nftables.args b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.nftables.args
new file mode 100755
index 0000000000..6051b1bdf9
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.nftables.args
@@ -0,0 +1,298 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udplite \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+f:e:d::c:b:a/127 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udplite \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+f:e:d::c:b:a/127 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udplite \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udplite \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udplite \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udplite \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/udplite-linux.nftables.args b/tests/nwfilterxml2firewalldata/udplite-linux.nftables.args
new file mode 100755
index 0000000000..d770a56268
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udplite-linux.nftables.args
@@ -0,0 +1,292 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udplite \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udplite \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udplite \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udplite \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udplite \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udplite \
+ether \
+saddr \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2firewalldata/vlan-linux.nftables.args b/tests/nwfilterxml2firewalldata/vlan-linux.nftables.args
new file mode 100755
index 0000000000..fabdc5f9da
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/vlan-linux.nftables.args
@@ -0,0 +1,257 @@
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+vlan \
+id \
+291 \
+continue
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+vlan \
+id \
+291 \
+continue
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+vlan \
+id \
+1234 \
+return
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+vlan \
+id \
+1234 \
+return
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-in \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+vlan \
+id \
+291 \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+vlan \
+type \
+2054 \
+drop
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+vlan \
+type \
+4660 \
+accept
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_inet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt_nwfilter_ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_inet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt_nwfilter_ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalltest.c b/tests/nwfilterxml2nftfirewalltest.c
new file mode 100644
index 0000000000..d96297b8fc
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalltest.c
@@ -0,0 +1,432 @@
+/*
+ * nwfilterxml2nftfirewalltest.c: Test iptables rule generation
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <config.h>
+
+#if defined (__linux__)
+
+# include "testutils.h"
+# include "nwfilter/nwfilter_nftables_driver.h"
+# include "virbuffer.h"
+
+# define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW
+# include "vircommandpriv.h"
+
+# define VIR_FROM_THIS VIR_FROM_NONE
+
+# ifdef __linux__
+#  define RULESTYPE "linux"
+# else
+#  error "test case not ported to this platform"
+# endif
+
+typedef struct _virNWFilterInst virNWFilterInst;
+struct _virNWFilterInst {
+    virNWFilterDef **filters;
+    size_t nfilters;
+    virNWFilterRuleInst **rules;
+    size_t nrules;
+};
+
+/*
+ * Some sets of rules that will be common to all test files,
+ * so we don't bother including them in the test data files
+ * as that would just bloat them
+ */
+static const char *commonRules[] = {
+    "nft \\\nlist \\\ntables\n"
+    "nft \\\nlist \\\nchains\n"
+    "nft \\\nadd \\\ntable \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\n'{ comment \"Managed by libvirt for network filters: https://libvirt.org/firewall.html#the-network-filter-driver\"; }'\n"
+    "nft \\\nadd \\\nset \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\nsame-ip-set \\\n'{ type ipv4_addr . ipv4_addr; }'\n"
+    "nft \\\nadd \\\nelement \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\nsame-ip-set \\\n'{' \\\n0.0.0.0 \\\n. \\\n0.0.0.0 \\\n, \\\n1.0.0.0 \\\n. \\\n1.0.0.0 \\\n, \\\n2.0.0.0 \\\n. \\\n2.0.0.0 \\\n, \\\n3.0.0.0 \\\n. \\\n3.0.0.0 \\\n, \\\n4.0.0.0 \\\n. \\\n4.0.0.0 \\\n, \\\n5.0.0.0 \\\n. \\\n5.0.0.0 \\\n, \\\n6.0.0.0 \\\n. \\\n6.0.0.0 \\\n, \\\n7.0.0.0 \\\n. \\\n7.0.0.0 \\\n, \\\n8.0.0.0 \\\n. \\\n8.0.0.0 \\\n, \\\n9.0.0.0 \\\n. \\\n9.0.0.0 \\\n, \\\n10.0.0.0 \\\n. \\\n10.0.0.0 \\\n, \\\n11.0.0.0 \\\n. \\\n11.0.0.0 \\\n, \\\n12.0.0.0 \\\n. \\\n12.0.0.0 \\\n, \\\n13.0.0.0 \\\n. \\\n13.0.0.0 \\\n, \\\n14.0.0.0 \\\n. \\\n14.0.0.0 \\\n, \\\n15.0.0.0 \\\n. \\\n15.0.0.0 \\\n, \\\n16.0.0.0 \\\n. \\\n16.0.0.0 \\\n, \\\n17.0.0.0 \\\n. \\\n17.0.0.0 \\\n, \\\n18.0.0.0 \\\n. \\\n18.0.0.0 \\\n, \\\n19.0.0.0 \\\n. \\\n19.0.0.0 \\\n, \\\n20.0.0.0 \\\n. \\\n20.0.0.0 \\\n, \\\n21.0.0.0 \\\n. \\\n21.0.0.0 \\\n, \\\n22.0.0.0 \\\n. \\\n22.0.0.0 \\\n, \\\n23.0.0.0 \\\n. \\\n23.0.0.0 \\\n, \\\n24.0.0.0 \\\n. \\\n24.0.0.0 \\\n, \\\n25.0.0.0 \\\n. \\\n25.0.0.0 \\\n, \\\n26.0.0.0 \\\n. \\\n26.0.0.0 \\\n, \\\n27.0.0.0 \\\n. \\\n27.0.0.0 \\\n, \\\n28.0.0.0 \\\n. \\\n28.0.0.0 \\\n, \\\n29.0.0.0 \\\n. \\\n29.0.0.0 \\\n, \\\n30.0.0.0 \\\n. \\\n30.0.0.0 \\\n, \\\n31.0.0.0 \\\n. \\\n31.0.0.0 \\\n, \\\n32.0.0.0 \\\n. \\\n32.0.0.0 \\\n, \\\n33.0.0.0 \\\n. \\\n33.0.0.0 \\\n, \\\n34.0.0.0 \\\n. \\\n34.0.0.0 \\\n, \\\n35.0.0.0 \\\n. \\\n35.0.0.0 \\\n, \\\n36.0.0.0 \\\n. \\\n36.0.0.0 \\\n, \\\n37.0.0.0 \\\n. \\\n37.0.0.0 \\\n, \\\n38.0.0.0 \\\n. \\\n38.0.0.0 \\\n, \\\n39.0.0.0 \\\n. \\\n39.0.0.0 \\\n, \\\n40.0.0.0 \\\n. \\\n40.0.0.0 \\\n, \\\n41.0.0.0 \\\n. \\\n41.0.0.0 \\\n, \\\n42.0.0.0 \\\n. \\\n42.0.0.0 \\\n, \\\n43.0.0.0 \\\n. \\\n43.0.0.0 \\\n, \\\n44.0.0.0 \\\n. \\\n44.0.0.0 \\\n, \\\n45.0.0.0 \\\n. \\\n45.0.0.0 \\\n, \\\n46.0.0.0 \\\n. \\\n46.0.0.0 \\\n, \\\n47.0.0.0 \\\n. \\\n47.0.0.0 \\\n, \\\n48.0.0.0 \\\n. \\\n48.0.0.0 \\\n, \\\n49.0.0.0 \\\n. \\\n49.0.0.0 \\\n, \\\n50.0.0.0 \\\n. \\\n50.0.0.0 \\\n, \\\n51.0.0.0 \\\n. \\\n51.0.0.0 \\\n, \\\n52.0.0.0 \\\n. \\\n52.0.0.0 \\\n, \\\n53.0.0.0 \\\n. \\\n53.0.0.0 \\\n, \\\n54.0.0.0 \\\n. \\\n54.0.0.0 \\\n, \\\n55.0.0.0 \\\n. \\\n55.0.0.0 \\\n, \\\n56.0.0.0 \\\n. \\\n56.0.0.0 \\\n, \\\n57.0.0.0 \\\n. \\\n57.0.0.0 \\\n, \\\n58.0.0.0 \\\n. \\\n58.0.0.0 \\\n, \\\n59.0.0.0 \\\n. \\\n59.0.0.0 \\\n, \\\n60.0.0.0 \\\n. \\\n60.0.0.0 \\\n, \\\n61.0.0.0 \\\n. \\\n61.0.0.0 \\\n, \\\n62.0.0.0 \\\n. \\\n62.0.0.0 \\\n, \\\n63.0.0.0 \\\n. \\\n63.0.0.0 \\\n, \\\n64.0.0.0 \\\n. \\\n64.0.0.0 \\\n, \\\n65.0.0.0 \\\n. \\\n65.0.0.0 \\\n, \\\n66.0.0.0 \\\n. \\\n66.0.0.0 \\\n, \\\n67.0.0.0 \\\n. \\\n67.0.0.0 \\\n, \\\n68.0.0.0 \\\n. \\\n68.0.0.0 \\\n, \\\n69.0.0.0 \\\n. \\\n69.0.0.0 \\\n, \\\n70.0.0.0 \\\n. \\\n70.0.0.0 \\\n, \\\n71.0.0.0 \\\n. \\\n71.0.0.0 \\\n, \\\n72.0.0.0 \\\n. \\\n72.0.0.0 \\\n, \\\n73.0.0.0 \\\n. \\\n73.0.0.0 \\\n, \\\n74.0.0.0 \\\n. \\\n74.0.0.0 \\\n, \\\n75.0.0.0 \\\n. \\\n75.0.0.0 \\\n, \\\n76.0.0.0 \\\n. \\\n76.0.0.0 \\\n, \\\n77.0.0.0 \\\n. \\\n77.0.0.0 \\\n, \\\n78.0.0.0 \\\n. \\\n78.0.0.0 \\\n, \\\n79.0.0.0 \\\n. \\\n79.0.0.0 \\\n, \\\n80.0.0.0 \\\n. \\\n80.0.0.0 \\\n, \\\n81.0.0.0 \\\n. \\\n81.0.0.0 \\\n, \\\n82.0.0.0 \\\n. \\\n82.0.0.0 \\\n, \\\n83.0.0.0 \\\n. \\\n83.0.0.0 \\\n, \\\n84.0.0.0 \\\n. \\\n84.0.0.0 \\\n, \\\n85.0.0.0 \\\n. \\\n85.0.0.0 \\\n, \\\n86.0.0.0 \\\n. \\\n86.0.0.0 \\\n, \\\n87.0.0.0 \\\n. \\\n87.0.0.0 \\\n, \\\n88.0.0.0 \\\n. \\\n88.0.0.0 \\\n, \\\n89.0.0.0 \\\n. \\\n89.0.0.0 \\\n, \\\n90.0.0.0 \\\n. \\\n90.0.0.0 \\\n, \\\n91.0.0.0 \\\n. \\\n91.0.0.0 \\\n, \\\n92.0.0.0 \\\n. \\\n92.0.0.0 \\\n, \\\n93.0.0.0 \\\n. \\\n93.0.0.0 \\\n, \\\n94.0.0.0 \\\n. \\\n94.0.0.0 \\\n, \\\n95.0.0.0 \\\n. \\\n95.0.0.0 \\\n, \\\n96.0.0.0 \\\n. \\\n96.0.0.0 \\\n, \\\n97.0.0.0 \\\n. \\\n97.0.0.0 \\\n, \\\n98.0.0.0 \\\n. \\\n98.0.0.0 \\\n, \\\n99.0.0.0 \\\n. \\\n99.0.0.0 \\\n, \\\n100.0.0.0 \\\n. \\\n100.0.0.0 \\\n, \\\n101.0.0.0 \\\n. \\\n101.0.0.0 \\\n, \\\n102.0.0.0 \\\n. \\\n102.0.0.0 \\\n, \\\n103.0.0.0 \\\n. \\\n103.0.0.0 \\\n, \\\n104.0.0.0 \\\n. \\\n104.0.0.0 \\\n, \\\n105.0.0.0 \\\n. \\\n105.0.0.0 \\\n, \\\n106.0.0.0 \\\n. \\\n106.0.0.0 \\\n, \\\n107.0.0.0 \\\n. \\\n107.0.0.0 \\\n, \\\n108.0.0.0 \\\n. \\\n108.0.0.0 \\\n, \\\n109.0.0.0 \\\n. \\\n109.0.0.0 \\\n, \\\n110.0.0.0 \\\n. \\\n110.0.0.0 \\\n, \\\n111.0.0.0 \\\n. \\\n111.0.0.0 \\\n, \\\n112.0.0.0 \\\n. \\\n112.0.0.0 \\\n, \\\n113.0.0.0 \\\n. \\\n113.0.0.0 \\\n, \\\n114.0.0.0 \\\n. \\\n114.0.0.0 \\\n, \\\n115.0.0.0 \\\n. \\\n115.0.0.0 \\\n, \\\n116.0.0.0 \\\n. \\\n116.0.0.0 \\\n, \\\n117.0.0.0 \\\n. \\\n117.0.0.0 \\\n, \\\n118.0.0.0 \\\n. \\\n118.0.0.0 \\\n, \\\n119.0.0.0 \\\n. \\\n119.0.0.0 \\\n, \\\n120.0.0.0 \\\n. \\\n120.0.0.0 \\\n, \\\n121.0.0.0 \\\n. \\\n121.0.0.0 \\\n, \\\n122.0.0.0 \\\n. \\\n122.0.0.0 \\\n, \\\n123.0.0.0 \\\n. \\\n123.0.0.0 \\\n, \\\n124.0.0.0 \\\n. \\\n124.0.0.0 \\\n, \\\n125.0.0.0 \\\n. \\\n125.0.0.0 \\\n, \\\n126.0.0.0 \\\n. \\\n126.0.0.0 \\\n, \\\n127.0.0.0 \\\n. \\\n127.0.0.0 \\\n, \\\n128.0.0.0 \\\n. \\\n128.0.0.0 \\\n, \\\n129.0.0.0 \\\n. \\\n129.0.0.0 \\\n, \\\n130.0.0.0 \\\n. \\\n130.0.0.0 \\\n, \\\n131.0.0.0 \\\n. \\\n131.0.0.0 \\\n, \\\n132.0.0.0 \\\n. \\\n132.0.0.0 \\\n, \\\n133.0.0.0 \\\n. \\\n133.0.0.0 \\\n, \\\n134.0.0.0 \\\n. \\\n134.0.0.0 \\\n, \\\n135.0.0.0 \\\n. \\\n135.0.0.0 \\\n, \\\n136.0.0.0 \\\n. \\\n136.0.0.0 \\\n, \\\n137.0.0.0 \\\n. \\\n137.0.0.0 \\\n, \\\n138.0.0.0 \\\n. \\\n138.0.0.0 \\\n, \\\n139.0.0.0 \\\n. \\\n139.0.0.0 \\\n, \\\n140.0.0.0 \\\n. \\\n140.0.0.0 \\\n, \\\n141.0.0.0 \\\n. \\\n141.0.0.0 \\\n, \\\n142.0.0.0 \\\n. \\\n142.0.0.0 \\\n, \\\n143.0.0.0 \\\n. \\\n143.0.0.0 \\\n, \\\n144.0.0.0 \\\n. \\\n144.0.0.0 \\\n, \\\n145.0.0.0 \\\n. \\\n145.0.0.0 \\\n, \\\n146.0.0.0 \\\n. \\\n146.0.0.0 \\\n, \\\n147.0.0.0 \\\n. \\\n147.0.0.0 \\\n, \\\n148.0.0.0 \\\n. \\\n148.0.0.0 \\\n, \\\n149.0.0.0 \\\n. \\\n149.0.0.0 \\\n, \\\n150.0.0.0 \\\n. \\\n150.0.0.0 \\\n, \\\n151.0.0.0 \\\n. \\\n151.0.0.0 \\\n, \\\n152.0.0.0 \\\n. \\\n152.0.0.0 \\\n, \\\n153.0.0.0 \\\n. \\\n153.0.0.0 \\\n, \\\n154.0.0.0 \\\n. \\\n154.0.0.0 \\\n, \\\n155.0.0.0 \\\n. \\\n155.0.0.0 \\\n, \\\n156.0.0.0 \\\n. \\\n156.0.0.0 \\\n, \\\n157.0.0.0 \\\n. \\\n157.0.0.0 \\\n, \\\n158.0.0.0 \\\n. \\\n158.0.0.0 \\\n, \\\n159.0.0.0 \\\n. \\\n159.0.0.0 \\\n, \\\n160.0.0.0 \\\n. \\\n160.0.0.0 \\\n, \\\n161.0.0.0 \\\n. \\\n161.0.0.0 \\\n, \\\n162.0.0.0 \\\n. \\\n162.0.0.0 \\\n, \\\n163.0.0.0 \\\n. \\\n163.0.0.0 \\\n, \\\n164.0.0.0 \\\n. \\\n164.0.0.0 \\\n, \\\n165.0.0.0 \\\n. \\\n165.0.0.0 \\\n, \\\n166.0.0.0 \\\n. \\\n166.0.0.0 \\\n, \\\n167.0.0.0 \\\n. \\\n167.0.0.0 \\\n, \\\n168.0.0.0 \\\n. \\\n168.0.0.0 \\\n, \\\n169.0.0.0 \\\n. \\\n169.0.0.0 \\\n, \\\n170.0.0.0 \\\n. \\\n170.0.0.0 \\\n, \\\n171.0.0.0 \\\n. \\\n171.0.0.0 \\\n, \\\n172.0.0.0 \\\n. \\\n172.0.0.0 \\\n, \\\n173.0.0.0 \\\n. \\\n173.0.0.0 \\\n, \\\n174.0.0.0 \\\n. \\\n174.0.0.0 \\\n, \\\n175.0.0.0 \\\n. \\\n175.0.0.0 \\\n, \\\n176.0.0.0 \\\n. \\\n176.0.0.0 \\\n, \\\n177.0.0.0 \\\n. \\\n177.0.0.0 \\\n, \\\n178.0.0.0 \\\n. \\\n178.0.0.0 \\\n, \\\n179.0.0.0 \\\n. \\\n179.0.0.0 \\\n, \\\n180.0.0.0 \\\n. \\\n180.0.0.0 \\\n, \\\n181.0.0.0 \\\n. \\\n181.0.0.0 \\\n, \\\n182.0.0.0 \\\n. \\\n182.0.0.0 \\\n, \\\n183.0.0.0 \\\n. \\\n183.0.0.0 \\\n, \\\n184.0.0.0 \\\n. \\\n184.0.0.0 \\\n, \\\n185.0.0.0 \\\n. \\\n185.0.0.0 \\\n, \\\n186.0.0.0 \\\n. \\\n186.0.0.0 \\\n, \\\n187.0.0.0 \\\n. \\\n187.0.0.0 \\\n, \\\n188.0.0.0 \\\n. \\\n188.0.0.0 \\\n, \\\n189.0.0.0 \\\n. \\\n189.0.0.0 \\\n, \\\n190.0.0.0 \\\n. \\\n190.0.0.0 \\\n, \\\n191.0.0.0 \\\n. \\\n191.0.0.0 \\\n, \\\n192.0.0.0 \\\n. \\\n192.0.0.0 \\\n, \\\n193.0.0.0 \\\n. \\\n193.0.0.0 \\\n, \\\n194.0.0.0 \\\n. \\\n194.0.0.0 \\\n, \\\n195.0.0.0 \\\n. \\\n195.0.0.0 \\\n, \\\n196.0.0.0 \\\n. \\\n196.0.0.0 \\\n, \\\n197.0.0.0 \\\n. \\\n197.0.0.0 \\\n, \\\n198.0.0.0 \\\n. \\\n198.0.0.0 \\\n, \\\n199.0.0.0 \\\n. \\\n199.0.0.0 \\\n, \\\n200.0.0.0 \\\n. \\\n200.0.0.0 \\\n, \\\n201.0.0.0 \\\n. \\\n201.0.0.0 \\\n, \\\n202.0.0.0 \\\n. \\\n202.0.0.0 \\\n, \\\n203.0.0.0 \\\n. \\\n203.0.0.0 \\\n, \\\n204.0.0.0 \\\n. \\\n204.0.0.0 \\\n, \\\n205.0.0.0 \\\n. \\\n205.0.0.0 \\\n, \\\n206.0.0.0 \\\n. \\\n206.0.0.0 \\\n, \\\n207.0.0.0 \\\n. \\\n207.0.0.0 \\\n, \\\n208.0.0.0 \\\n. \\\n208.0.0.0 \\\n, \\\n209.0.0.0 \\\n. \\\n209.0.0.0 \\\n, \\\n210.0.0.0 \\\n. \\\n210.0.0.0 \\\n, \\\n211.0.0.0 \\\n. \\\n211.0.0.0 \\\n, \\\n212.0.0.0 \\\n. \\\n212.0.0.0 \\\n, \\\n213.0.0.0 \\\n. \\\n213.0.0.0 \\\n, \\\n214.0.0.0 \\\n. \\\n214.0.0.0 \\\n, \\\n215.0.0.0 \\\n. \\\n215.0.0.0 \\\n, \\\n216.0.0.0 \\\n. \\\n216.0.0.0 \\\n, \\\n217.0.0.0 \\\n. \\\n217.0.0.0 \\\n, \\\n218.0.0.0 \\\n. \\\n218.0.0.0 \\\n, \\\n219.0.0.0 \\\n. \\\n219.0.0.0 \\\n, \\\n220.0.0.0 \\\n. \\\n220.0.0.0 \\\n, \\\n221.0.0.0 \\\n. \\\n221.0.0.0 \\\n, \\\n222.0.0.0 \\\n. \\\n222.0.0.0 \\\n, \\\n223.0.0.0 \\\n. \\\n223.0.0.0 \\\n, \\\n224.0.0.0 \\\n. \\\n224.0.0.0 \\\n, \\\n225.0.0.0 \\\n. \\\n225.0.0.0 \\\n, \\\n226.0.0.0 \\\n. \\\n226.0.0.0 \\\n, \\\n227.0.0.0 \\\n. \\\n227.0.0.0 \\\n, \\\n228.0.0.0 \\\n. \\\n228.0.0.0 \\\n, \\\n229.0.0.0 \\\n. \\\n229.0.0.0 \\\n, \\\n230.0.0.0 \\\n. \\\n230.0.0.0 \\\n, \\\n231.0.0.0 \\\n. \\\n231.0.0.0 \\\n, \\\n232.0.0.0 \\\n. \\\n232.0.0.0 \\\n, \\\n233.0.0.0 \\\n. \\\n233.0.0.0 \\\n, \\\n234.0.0.0 \\\n. \\\n234.0.0.0 \\\n, \\\n235.0.0.0 \\\n. \\\n235.0.0.0 \\\n, \\\n236.0.0.0 \\\n. \\\n236.0.0.0 \\\n, \\\n237.0.0.0 \\\n. \\\n237.0.0.0 \\\n, \\\n238.0.0.0 \\\n. \\\n238.0.0.0 \\\n, \\\n239.0.0.0 \\\n. \\\n239.0.0.0 \\\n, \\\n240.0.0.0 \\\n. \\\n240.0.0.0 \\\n, \\\n241.0.0.0 \\\n. \\\n241.0.0.0 \\\n, \\\n242.0.0.0 \\\n. \\\n242.0.0.0 \\\n, \\\n243.0.0.0 \\\n. \\\n243.0.0.0 \\\n, \\\n244.0.0.0 \\\n. \\\n244.0.0.0 \\\n, \\\n245.0.0.0 \\\n. \\\n245.0.0.0 \\\n, \\\n246.0.0.0 \\\n. \\\n246.0.0.0 \\\n, \\\n247.0.0.0 \\\n. \\\n247.0.0.0 \\\n, \\\n248.0.0.0 \\\n. \\\n248.0.0.0 \\\n, \\\n249.0.0.0 \\\n. \\\n249.0.0.0 \\\n, \\\n250.0.0.0 \\\n. \\\n250.0.0.0 \\\n, \\\n251.0.0.0 \\\n. \\\n251.0.0.0 \\\n, \\\n252.0.0.0 \\\n. \\\n252.0.0.0 \\\n, \\\n253.0.0.0 \\\n. \\\n253.0.0.0 \\\n, \\\n254.0.0.0 \\\n. \\\n254.0.0.0 \\\n, \\\n255.0.0.0 \\\n. \\\n255.0.0.0 \\\n, \\\n0.0.0.0 \\\n. \\\n0.0.0.0 \\\n, \\\n0.1.0.0 \\\n. \\\n0.1.0.0 \\\n, \\\n0.2.0.0 \\\n. \\\n0.2.0.0 \\\n, \\\n0.3.0.0 \\\n. \\\n0.3.0.0 \\\n, \\\n0.4.0.0 \\\n. \\\n0.4.0.0 \\\n, \\\n0.5.0.0 \\\n. \\\n0.5.0.0 \\\n, \\\n0.6.0.0 \\\n. \\\n0.6.0.0 \\\n, \\\n0.7.0.0 \\\n. \\\n0.7.0.0 \\\n, \\\n0.8.0.0 \\\n. \\\n0.8.0.0 \\\n, \\\n0.9.0.0 \\\n. \\\n0.9.0.0 \\\n, \\\n0.10.0.0 \\\n. \\\n0.10.0.0 \\\n, \\\n0.11.0.0 \\\n. \\\n0.11.0.0 \\\n, \\\n0.12.0.0 \\\n. \\\n0.12.0.0 \\\n, \\\n0.13.0.0 \\\n. \\\n0.13.0.0 \\\n, \\\n0.14.0.0 \\\n. \\\n0.14.0.0 \\\n, \\\n0.15.0.0 \\\n. \\\n0.15.0.0 \\\n, \\\n0.16.0.0 \\\n. \\\n0.16.0.0 \\\n, \\\n0.17.0.0 \\\n. \\\n0.17.0.0 \\\n, \\\n0.18.0.0 \\\n. \\\n0.18.0.0 \\\n, \\\n0.19.0.0 \\\n. \\\n0.19.0.0 \\\n, \\\n0.20.0.0 \\\n. \\\n0.20.0.0 \\\n, \\\n0.21.0.0 \\\n. \\\n0.21.0.0 \\\n, \\\n0.22.0.0 \\\n. \\\n0.22.0.0 \\\n, \\\n0.23.0.0 \\\n. \\\n0.23.0.0 \\\n, \\\n0.24.0.0 \\\n. \\\n0.24.0.0 \\\n, \\\n0.25.0.0 \\\n. \\\n0.25.0.0 \\\n, \\\n0.26.0.0 \\\n. \\\n0.26.0.0 \\\n, \\\n0.27.0.0 \\\n. \\\n0.27.0.0 \\\n, \\\n0.28.0.0 \\\n. \\\n0.28.0.0 \\\n, \\\n0.29.0.0 \\\n. \\\n0.29.0.0 \\\n, \\\n0.30.0.0 \\\n. \\\n0.30.0.0 \\\n, \\\n0.31.0.0 \\\n. \\\n0.31.0.0 \\\n, \\\n0.32.0.0 \\\n. \\\n0.32.0.0 \\\n, \\\n0.33.0.0 \\\n. \\\n0.33.0.0 \\\n, \\\n0.34.0.0 \\\n. \\\n0.34.0.0 \\\n, \\\n0.35.0.0 \\\n. \\\n0.35.0.0 \\\n, \\\n0.36.0.0 \\\n. \\\n0.36.0.0 \\\n, \\\n0.37.0.0 \\\n. \\\n0.37.0.0 \\\n, \\\n0.38.0.0 \\\n. \\\n0.38.0.0 \\\n, \\\n0.39.0.0 \\\n. \\\n0.39.0.0 \\\n, \\\n0.40.0.0 \\\n. \\\n0.40.0.0 \\\n, \\\n0.41.0.0 \\\n. \\\n0.41.0.0 \\\n, \\\n0.42.0.0 \\\n. \\\n0.42.0.0 \\\n, \\\n0.43.0.0 \\\n. \\\n0.43.0.0 \\\n, \\\n0.44.0.0 \\\n. \\\n0.44.0.0 \\\n, \\\n0.45.0.0 \\\n. \\\n0.45.0.0 \\\n, \\\n0.46.0.0 \\\n. \\\n0.46.0.0 \\\n, \\\n0.47.0.0 \\\n. \\\n0.47.0.0 \\\n, \\\n0.48.0.0 \\\n. \\\n0.48.0.0 \\\n, \\\n0.49.0.0 \\\n. \\\n0.49.0.0 \\\n, \\\n0.50.0.0 \\\n. \\\n0.50.0.0 \\\n, \\\n0.51.0.0 \\\n. \\\n0.51.0.0 \\\n, \\\n0.52.0.0 \\\n. \\\n0.52.0.0 \\\n, \\\n0.53.0.0 \\\n. \\\n0.53.0.0 \\\n, \\\n0.54.0.0 \\\n. \\\n0.54.0.0 \\\n, \\\n0.55.0.0 \\\n. \\\n0.55.0.0 \\\n, \\\n0.56.0.0 \\\n. \\\n0.56.0.0 \\\n, \\\n0.57.0.0 \\\n. \\\n0.57.0.0 \\\n, \\\n0.58.0.0 \\\n. \\\n0.58.0.0 \\\n, \\\n0.59.0.0 \\\n. \\\n0.59.0.0 \\\n, \\\n0.60.0.0 \\\n. \\\n0.60.0.0 \\\n, \\\n0.61.0.0 \\\n. \\\n0.61.0.0 \\\n, \\\n0.62.0.0 \\\n. \\\n0.62.0.0 \\\n, \\\n0.63.0.0 \\\n. \\\n0.63.0.0 \\\n, \\\n0.64.0.0 \\\n. \\\n0.64.0.0 \\\n, \\\n0.65.0.0 \\\n. \\\n0.65.0.0 \\\n, \\\n0.66.0.0 \\\n. \\\n0.66.0.0 \\\n, \\\n0.67.0.0 \\\n. \\\n0.67.0.0 \\\n, \\\n0.68.0.0 \\\n. \\\n0.68.0.0 \\\n, \\\n0.69.0.0 \\\n. \\\n0.69.0.0 \\\n, \\\n0.70.0.0 \\\n. \\\n0.70.0.0 \\\n, \\\n0.71.0.0 \\\n. \\\n0.71.0.0 \\\n, \\\n0.72.0.0 \\\n. \\\n0.72.0.0 \\\n, \\\n0.73.0.0 \\\n. \\\n0.73.0.0 \\\n, \\\n0.74.0.0 \\\n. \\\n0.74.0.0 \\\n, \\\n0.75.0.0 \\\n. \\\n0.75.0.0 \\\n, \\\n0.76.0.0 \\\n. \\\n0.76.0.0 \\\n, \\\n0.77.0.0 \\\n. \\\n0.77.0.0 \\\n, \\\n0.78.0.0 \\\n. \\\n0.78.0.0 \\\n, \\\n0.79.0.0 \\\n. \\\n0.79.0.0 \\\n, \\\n0.80.0.0 \\\n. \\\n0.80.0.0 \\\n, \\\n0.81.0.0 \\\n. \\\n0.81.0.0 \\\n, \\\n0.82.0.0 \\\n. \\\n0.82.0.0 \\\n, \\\n0.83.0.0 \\\n. \\\n0.83.0.0 \\\n, \\\n0.84.0.0 \\\n. \\\n0.84.0.0 \\\n, \\\n0.85.0.0 \\\n. \\\n0.85.0.0 \\\n, \\\n0.86.0.0 \\\n. \\\n0.86.0.0 \\\n, \\\n0.87.0.0 \\\n. \\\n0.87.0.0 \\\n, \\\n0.88.0.0 \\\n. \\\n0.88.0.0 \\\n, \\\n0.89.0.0 \\\n. \\\n0.89.0.0 \\\n, \\\n0.90.0.0 \\\n. \\\n0.90.0.0 \\\n, \\\n0.91.0.0 \\\n. \\\n0.91.0.0 \\\n, \\\n0.92.0.0 \\\n. \\\n0.92.0.0 \\\n, \\\n0.93.0.0 \\\n. \\\n0.93.0.0 \\\n, \\\n0.94.0.0 \\\n. \\\n0.94.0.0 \\\n, \\\n0.95.0.0 \\\n. \\\n0.95.0.0 \\\n, \\\n0.96.0.0 \\\n. \\\n0.96.0.0 \\\n, \\\n0.97.0.0 \\\n. \\\n0.97.0.0 \\\n, \\\n0.98.0.0 \\\n. \\\n0.98.0.0 \\\n, \\\n0.99.0.0 \\\n. \\\n0.99.0.0 \\\n, \\\n0.100.0.0 \\\n. \\\n0.100.0.0 \\\n, \\\n0.101.0.0 \\\n. \\\n0.101.0.0 \\\n, \\\n0.102.0.0 \\\n. \\\n0.102.0.0 \\\n, \\\n0.103.0.0 \\\n. \\\n0.103.0.0 \\\n, \\\n0.104.0.0 \\\n. \\\n0.104.0.0 \\\n, \\\n0.105.0.0 \\\n. \\\n0.105.0.0 \\\n, \\\n0.106.0.0 \\\n. \\\n0.106.0.0 \\\n, \\\n0.107.0.0 \\\n. \\\n0.107.0.0 \\\n, \\\n0.108.0.0 \\\n. \\\n0.108.0.0 \\\n, \\\n0.109.0.0 \\\n. \\\n0.109.0.0 \\\n, \\\n0.110.0.0 \\\n. \\\n0.110.0.0 \\\n, \\\n0.111.0.0 \\\n. \\\n0.111.0.0 \\\n, \\\n0.112.0.0 \\\n. \\\n0.112.0.0 \\\n, \\\n0.113.0.0 \\\n. \\\n0.113.0.0 \\\n, \\\n0.114.0.0 \\\n. \\\n0.114.0.0 \\\n, \\\n0.115.0.0 \\\n. \\\n0.115.0.0 \\\n, \\\n0.116.0.0 \\\n. \\\n0.116.0.0 \\\n, \\\n0.117.0.0 \\\n. \\\n0.117.0.0 \\\n, \\\n0.118.0.0 \\\n. \\\n0.118.0.0 \\\n, \\\n0.119.0.0 \\\n. \\\n0.119.0.0 \\\n, \\\n0.120.0.0 \\\n. \\\n0.120.0.0 \\\n, \\\n0.121.0.0 \\\n. \\\n0.121.0.0 \\\n, \\\n0.122.0.0 \\\n. \\\n0.122.0.0 \\\n, \\\n0.123.0.0 \\\n. \\\n0.123.0.0 \\\n, \\\n0.124.0.0 \\\n. \\\n0.124.0.0 \\\n, \\\n0.125.0.0 \\\n. \\\n0.125.0.0 \\\n, \\\n0.126.0.0 \\\n. \\\n0.126.0.0 \\\n, \\\n0.127.0.0 \\\n. \\\n0.127.0.0 \\\n, \\\n0.128.0.0 \\\n. \\\n0.128.0.0 \\\n, \\\n0.129.0.0 \\\n. \\\n0.129.0.0 \\\n, \\\n0.130.0.0 \\\n. \\\n0.130.0.0 \\\n, \\\n0.131.0.0 \\\n. \\\n0.131.0.0 \\\n, \\\n0.132.0.0 \\\n. \\\n0.132.0.0 \\\n, \\\n0.133.0.0 \\\n. \\\n0.133.0.0 \\\n, \\\n0.134.0.0 \\\n. \\\n0.134.0.0 \\\n, \\\n0.135.0.0 \\\n. \\\n0.135.0.0 \\\n, \\\n0.136.0.0 \\\n. \\\n0.136.0.0 \\\n, \\\n0.137.0.0 \\\n. \\\n0.137.0.0 \\\n, \\\n0.138.0.0 \\\n. \\\n0.138.0.0 \\\n, \\\n0.139.0.0 \\\n. \\\n0.139.0.0 \\\n, \\\n0.140.0.0 \\\n. \\\n0.140.0.0 \\\n, \\\n0.141.0.0 \\\n. \\\n0.141.0.0 \\\n, \\\n0.142.0.0 \\\n. \\\n0.142.0.0 \\\n, \\\n0.143.0.0 \\\n. \\\n0.143.0.0 \\\n, \\\n0.144.0.0 \\\n. \\\n0.144.0.0 \\\n, \\\n0.145.0.0 \\\n. \\\n0.145.0.0 \\\n, \\\n0.146.0.0 \\\n. \\\n0.146.0.0 \\\n, \\\n0.147.0.0 \\\n. \\\n0.147.0.0 \\\n, \\\n0.148.0.0 \\\n. \\\n0.148.0.0 \\\n, \\\n0.149.0.0 \\\n. \\\n0.149.0.0 \\\n, \\\n0.150.0.0 \\\n. \\\n0.150.0.0 \\\n, \\\n0.151.0.0 \\\n. \\\n0.151.0.0 \\\n, \\\n0.152.0.0 \\\n. \\\n0.152.0.0 \\\n, \\\n0.153.0.0 \\\n. \\\n0.153.0.0 \\\n, \\\n0.154.0.0 \\\n. \\\n0.154.0.0 \\\n, \\\n0.155.0.0 \\\n. \\\n0.155.0.0 \\\n, \\\n0.156.0.0 \\\n. \\\n0.156.0.0 \\\n, \\\n0.157.0.0 \\\n. \\\n0.157.0.0 \\\n, \\\n0.158.0.0 \\\n. \\\n0.158.0.0 \\\n, \\\n0.159.0.0 \\\n. \\\n0.159.0.0 \\\n, \\\n0.160.0.0 \\\n. \\\n0.160.0.0 \\\n, \\\n0.161.0.0 \\\n. \\\n0.161.0.0 \\\n, \\\n0.162.0.0 \\\n. \\\n0.162.0.0 \\\n, \\\n0.163.0.0 \\\n. \\\n0.163.0.0 \\\n, \\\n0.164.0.0 \\\n. \\\n0.164.0.0 \\\n, \\\n0.165.0.0 \\\n. \\\n0.165.0.0 \\\n, \\\n0.166.0.0 \\\n. \\\n0.166.0.0 \\\n, \\\n0.167.0.0 \\\n. \\\n0.167.0.0 \\\n, \\\n0.168.0.0 \\\n. \\\n0.168.0.0 \\\n, \\\n0.169.0.0 \\\n. \\\n0.169.0.0 \\\n, \\\n0.170.0.0 \\\n. \\\n0.170.0.0 \\\n, \\\n0.171.0.0 \\\n. \\\n0.171.0.0 \\\n, \\\n0.172.0.0 \\\n. \\\n0.172.0.0 \\\n, \\\n0.173.0.0 \\\n. \\\n0.173.0.0 \\\n, \\\n0.174.0.0 \\\n. \\\n0.174.0.0 \\\n, \\\n0.175.0.0 \\\n. \\\n0.175.0.0 \\\n, \\\n0.176.0.0 \\\n. \\\n0.176.0.0 \\\n, \\\n0.177.0.0 \\\n. \\\n0.177.0.0 \\\n, \\\n0.178.0.0 \\\n. \\\n0.178.0.0 \\\n, \\\n0.179.0.0 \\\n. \\\n0.179.0.0 \\\n, \\\n0.180.0.0 \\\n. \\\n0.180.0.0 \\\n, \\\n0.181.0.0 \\\n. \\\n0.181.0.0 \\\n, \\\n0.182.0.0 \\\n. \\\n0.182.0.0 \\\n, \\\n0.183.0.0 \\\n. \\\n0.183.0.0 \\\n, \\\n0.184.0.0 \\\n. \\\n0.184.0.0 \\\n, \\\n0.185.0.0 \\\n. \\\n0.185.0.0 \\\n, \\\n0.186.0.0 \\\n. \\\n0.186.0.0 \\\n, \\\n0.187.0.0 \\\n. \\\n0.187.0.0 \\\n, \\\n0.188.0.0 \\\n. \\\n0.188.0.0 \\\n, \\\n0.189.0.0 \\\n. \\\n0.189.0.0 \\\n, \\\n0.190.0.0 \\\n. \\\n0.190.0.0 \\\n, \\\n0.191.0.0 \\\n. \\\n0.191.0.0 \\\n, \\\n0.192.0.0 \\\n. \\\n0.192.0.0 \\\n, \\\n0.193.0.0 \\\n. \\\n0.193.0.0 \\\n, \\\n0.194.0.0 \\\n. \\\n0.194.0.0 \\\n, \\\n0.195.0.0 \\\n. \\\n0.195.0.0 \\\n, \\\n0.196.0.0 \\\n. \\\n0.196.0.0 \\\n, \\\n0.197.0.0 \\\n. \\\n0.197.0.0 \\\n, \\\n0.198.0.0 \\\n. \\\n0.198.0.0 \\\n, \\\n0.199.0.0 \\\n. \\\n0.199.0.0 \\\n, \\\n0.200.0.0 \\\n. \\\n0.200.0.0 \\\n, \\\n0.201.0.0 \\\n. \\\n0.201.0.0 \\\n, \\\n0.202.0.0 \\\n. \\\n0.202.0.0 \\\n, \\\n0.203.0.0 \\\n. \\\n0.203.0.0 \\\n, \\\n0.204.0.0 \\\n. \\\n0.204.0.0 \\\n, \\\n0.205.0.0 \\\n. \\\n0.205.0.0 \\\n, \\\n0.206.0.0 \\\n. \\\n0.206.0.0 \\\n, \\\n0.207.0.0 \\\n. \\\n0.207.0.0 \\\n, \\\n0.208.0.0 \\\n. \\\n0.208.0.0 \\\n, \\\n0.209.0.0 \\\n. \\\n0.209.0.0 \\\n, \\\n0.210.0.0 \\\n. \\\n0.210.0.0 \\\n, \\\n0.211.0.0 \\\n. \\\n0.211.0.0 \\\n, \\\n0.212.0.0 \\\n. \\\n0.212.0.0 \\\n, \\\n0.213.0.0 \\\n. \\\n0.213.0.0 \\\n, \\\n0.214.0.0 \\\n. \\\n0.214.0.0 \\\n, \\\n0.215.0.0 \\\n. \\\n0.215.0.0 \\\n, \\\n0.216.0.0 \\\n. \\\n0.216.0.0 \\\n, \\\n0.217.0.0 \\\n. \\\n0.217.0.0 \\\n, \\\n0.218.0.0 \\\n. \\\n0.218.0.0 \\\n, \\\n0.219.0.0 \\\n. \\\n0.219.0.0 \\\n, \\\n0.220.0.0 \\\n. \\\n0.220.0.0 \\\n, \\\n0.221.0.0 \\\n. \\\n0.221.0.0 \\\n, \\\n0.222.0.0 \\\n. \\\n0.222.0.0 \\\n, \\\n0.223.0.0 \\\n. \\\n0.223.0.0 \\\n, \\\n0.224.0.0 \\\n. \\\n0.224.0.0 \\\n, \\\n0.225.0.0 \\\n. \\\n0.225.0.0 \\\n, \\\n0.226.0.0 \\\n. \\\n0.226.0.0 \\\n, \\\n0.227.0.0 \\\n. \\\n0.227.0.0 \\\n, \\\n0.228.0.0 \\\n. \\\n0.228.0.0 \\\n, \\\n0.229.0.0 \\\n. \\\n0.229.0.0 \\\n, \\\n0.230.0.0 \\\n. \\\n0.230.0.0 \\\n, \\\n0.231.0.0 \\\n. \\\n0.231.0.0 \\\n, \\\n0.232.0.0 \\\n. \\\n0.232.0.0 \\\n, \\\n0.233.0.0 \\\n. \\\n0.233.0.0 \\\n, \\\n0.234.0.0 \\\n. \\\n0.234.0.0 \\\n, \\\n0.235.0.0 \\\n. \\\n0.235.0.0 \\\n, \\\n0.236.0.0 \\\n. \\\n0.236.0.0 \\\n, \\\n0.237.0.0 \\\n. \\\n0.237.0.0 \\\n, \\\n0.238.0.0 \\\n. \\\n0.238.0.0 \\\n, \\\n0.239.0.0 \\\n. \\\n0.239.0.0 \\\n, \\\n0.240.0.0 \\\n. \\\n0.240.0.0 \\\n, \\\n0.241.0.0 \\\n. \\\n0.241.0.0 \\\n, \\\n0.242.0.0 \\\n. \\\n0.242.0.0 \\\n, \\\n0.243.0.0 \\\n. \\\n0.243.0.0 \\\n, \\\n0.244.0.0 \\\n. \\\n0.244.0.0 \\\n, \\\n0.245.0.0 \\\n. \\\n0.245.0.0 \\\n, \\\n0.246.0.0 \\\n. \\\n0.246.0.0 \\\n, \\\n0.247.0.0 \\\n. \\\n0.247.0.0 \\\n, \\\n0.248.0.0 \\\n. \\\n0.248.0.0 \\\n, \\\n0.249.0.0 \\\n. \\\n0.249.0.0 \\\n, \\\n0.250.0.0 \\\n. \\\n0.250.0.0 \\\n, \\\n0.251.0.0 \\\n. \\\n0.251.0.0 \\\n, \\\n0.252.0.0 \\\n. \\\n0.252.0.0 \\\n, \\\n0.253.0.0 \\\n. \\\n0.253.0.0 \\\n, \\\n0.254.0.0 \\\n. \\\n0.254.0.0 \\\n, \\\n0.255.0.0 \\\n. \\\n0.255.0.0 \\\n, \\\n0.0.0.0 \\\n. \\\n0.0.0.0 \\\n, \\\n0.0.1.0 \\\n. \\\n0.0.1.0 \\\n, \\\n0.0.2.0 \\\n. \\\n0.0.2.0 \\\n, \\\n0.0.3.0 \\\n. \\\n0.0.3.0 \\\n, \\\n0.0.4.0 \\\n. \\\n0.0.4.0 \\\n, \\\n0.0.5.0 \\\n. \\\n0.0.5.0 \\\n, \\\n0.0.6.0 \\\n. \\\n0.0.6.0 \\\n, \\\n0.0.7.0 \\\n. \\\n0.0.7.0 \\\n, \\\n0.0.8.0 \\\n. \\\n0.0.8.0 \\\n, \\\n0.0.9.0 \\\n. \\\n0.0.9.0 \\\n, \\\n0.0.10.0 \\\n. \\\n0.0.10.0 \\\n, \\\n0.0.11.0 \\\n. \\\n0.0.11.0 \\\n, \\\n0.0.12.0 \\\n. \\\n0.0.12.0 \\\n, \\\n0.0.13.0 \\\n. \\\n0.0.13.0 \\\n, \\\n0.0.14.0 \\\n. \\\n0.0.14.0 \\\n, \\\n0.0.15.0 \\\n. \\\n0.0.15.0 \\\n, \\\n0.0.16.0 \\\n. \\\n0.0.16.0 \\\n, \\\n0.0.17.0 \\\n. \\\n0.0.17.0 \\\n, \\\n0.0.18.0 \\\n. \\\n0.0.18.0 \\\n, \\\n0.0.19.0 \\\n. \\\n0.0.19.0 \\\n, \\\n0.0.20.0 \\\n. \\\n0.0.20.0 \\\n, \\\n0.0.21.0 \\\n. \\\n0.0.21.0 \\\n, \\\n0.0.22.0 \\\n. \\\n0.0.22.0 \\\n, \\\n0.0.23.0 \\\n. \\\n0.0.23.0 \\\n, \\\n0.0.24.0 \\\n. \\\n0.0.24.0 \\\n, \\\n0.0.25.0 \\\n. \\\n0.0.25.0 \\\n, \\\n0.0.26.0 \\\n. \\\n0.0.26.0 \\\n, \\\n0.0.27.0 \\\n. \\\n0.0.27.0 \\\n, \\\n0.0.28.0 \\\n. \\\n0.0.28.0 \\\n, \\\n0.0.29.0 \\\n. \\\n0.0.29.0 \\\n, \\\n0.0.30.0 \\\n. \\\n0.0.30.0 \\\n, \\\n0.0.31.0 \\\n. \\\n0.0.31.0 \\\n, \\\n0.0.32.0 \\\n. \\\n0.0.32.0 \\\n, \\\n0.0.33.0 \\\n. \\\n0.0.33.0 \\\n, \\\n0.0.34.0 \\\n. \\\n0.0.34.0 \\\n, \\\n0.0.35.0 \\\n. \\\n0.0.35.0 \\\n, \\\n0.0.36.0 \\\n. \\\n0.0.36.0 \\\n, \\\n0.0.37.0 \\\n. \\\n0.0.37.0 \\\n, \\\n0.0.38.0 \\\n. \\\n0.0.38.0 \\\n, \\\n0.0.39.0 \\\n. \\\n0.0.39.0 \\\n, \\\n0.0.40.0 \\\n. \\\n0.0.40.0 \\\n, \\\n0.0.41.0 \\\n. \\\n0.0.41.0 \\\n, \\\n0.0.42.0 \\\n. \\\n0.0.42.0 \\\n, \\\n0.0.43.0 \\\n. \\\n0.0.43.0 \\\n, \\\n0.0.44.0 \\\n. \\\n0.0.44.0 \\\n, \\\n0.0.45.0 \\\n. \\\n0.0.45.0 \\\n, \\\n0.0.46.0 \\\n. \\\n0.0.46.0 \\\n, \\\n0.0.47.0 \\\n. \\\n0.0.47.0 \\\n, \\\n0.0.48.0 \\\n. \\\n0.0.48.0 \\\n, \\\n0.0.49.0 \\\n. \\\n0.0.49.0 \\\n, \\\n0.0.50.0 \\\n. \\\n0.0.50.0 \\\n, \\\n0.0.51.0 \\\n. \\\n0.0.51.0 \\\n, \\\n0.0.52.0 \\\n. \\\n0.0.52.0 \\\n, \\\n0.0.53.0 \\\n. \\\n0.0.53.0 \\\n, \\\n0.0.54.0 \\\n. \\\n0.0.54.0 \\\n, \\\n0.0.55.0 \\\n. \\\n0.0.55.0 \\\n, \\\n0.0.56.0 \\\n. \\\n0.0.56.0 \\\n, \\\n0.0.57.0 \\\n. \\\n0.0.57.0 \\\n, \\\n0.0.58.0 \\\n. \\\n0.0.58.0 \\\n, \\\n0.0.59.0 \\\n. \\\n0.0.59.0 \\\n, \\\n0.0.60.0 \\\n. \\\n0.0.60.0 \\\n, \\\n0.0.61.0 \\\n. \\\n0.0.61.0 \\\n, \\\n0.0.62.0 \\\n. \\\n0.0.62.0 \\\n, \\\n0.0.63.0 \\\n. \\\n0.0.63.0 \\\n, \\\n0.0.64.0 \\\n. \\\n0.0.64.0 \\\n, \\\n0.0.65.0 \\\n. \\\n0.0.65.0 \\\n, \\\n0.0.66.0 \\\n. \\\n0.0.66.0 \\\n, \\\n0.0.67.0 \\\n. \\\n0.0.67.0 \\\n, \\\n0.0.68.0 \\\n. \\\n0.0.68.0 \\\n, \\\n0.0.69.0 \\\n. \\\n0.0.69.0 \\\n, \\\n0.0.70.0 \\\n. \\\n0.0.70.0 \\\n, \\\n0.0.71.0 \\\n. \\\n0.0.71.0 \\\n, \\\n0.0.72.0 \\\n. \\\n0.0.72.0 \\\n, \\\n0.0.73.0 \\\n. \\\n0.0.73.0 \\\n, \\\n0.0.74.0 \\\n. \\\n0.0.74.0 \\\n, \\\n0.0.75.0 \\\n. \\\n0.0.75.0 \\\n, \\\n0.0.76.0 \\\n. \\\n0.0.76.0 \\\n, \\\n0.0.77.0 \\\n. \\\n0.0.77.0 \\\n, \\\n0.0.78.0 \\\n. \\\n0.0.78.0 \\\n, \\\n0.0.79.0 \\\n. \\\n0.0.79.0 \\\n, \\\n0.0.80.0 \\\n. \\\n0.0.80.0 \\\n, \\\n0.0.81.0 \\\n. \\\n0.0.81.0 \\\n, \\\n0.0.82.0 \\\n. \\\n0.0.82.0 \\\n, \\\n0.0.83.0 \\\n. \\\n0.0.83.0 \\\n, \\\n0.0.84.0 \\\n. \\\n0.0.84.0 \\\n, \\\n0.0.85.0 \\\n. \\\n0.0.85.0 \\\n, \\\n0.0.86.0 \\\n. \\\n0.0.86.0 \\\n, \\\n0.0.87.0 \\\n. \\\n0.0.87.0 \\\n, \\\n0.0.88.0 \\\n. \\\n0.0.88.0 \\\n, \\\n0.0.89.0 \\\n. \\\n0.0.89.0 \\\n, \\\n0.0.90.0 \\\n. \\\n0.0.90.0 \\\n, \\\n0.0.91.0 \\\n. \\\n0.0.91.0 \\\n, \\\n0.0.92.0 \\\n. \\\n0.0.92.0 \\\n, \\\n0.0.93.0 \\\n. \\\n0.0.93.0 \\\n, \\\n0.0.94.0 \\\n. \\\n0.0.94.0 \\\n, \\\n0.0.95.0 \\\n. \\\n0.0.95.0 \\\n, \\\n0.0.96.0 \\\n. \\\n0.0.96.0 \\\n, \\\n0.0.97.0 \\\n. \\\n0.0.97.0 \\\n, \\\n0.0.98.0 \\\n. \\\n0.0.98.0 \\\n, \\\n0.0.99.0 \\\n. \\\n0.0.99.0 \\\n, \\\n0.0.100.0 \\\n. \\\n0.0.100.0 \\\n, \\\n0.0.101.0 \\\n. \\\n0.0.101.0 \\\n, \\\n0.0.102.0 \\\n. \\\n0.0.102.0 \\\n, \\\n0.0.103.0 \\\n. \\\n0.0.103.0 \\\n, \\\n0.0.104.0 \\\n. \\\n0.0.104.0 \\\n, \\\n0.0.105.0 \\\n. \\\n0.0.105.0 \\\n, \\\n0.0.106.0 \\\n. \\\n0.0.106.0 \\\n, \\\n0.0.107.0 \\\n. \\\n0.0.107.0 \\\n, \\\n0.0.108.0 \\\n. \\\n0.0.108.0 \\\n, \\\n0.0.109.0 \\\n. \\\n0.0.109.0 \\\n, \\\n0.0.110.0 \\\n. \\\n0.0.110.0 \\\n, \\\n0.0.111.0 \\\n. \\\n0.0.111.0 \\\n, \\\n0.0.112.0 \\\n. \\\n0.0.112.0 \\\n, \\\n0.0.113.0 \\\n. \\\n0.0.113.0 \\\n, \\\n0.0.114.0 \\\n. \\\n0.0.114.0 \\\n, \\\n0.0.115.0 \\\n. \\\n0.0.115.0 \\\n, \\\n0.0.116.0 \\\n. \\\n0.0.116.0 \\\n, \\\n0.0.117.0 \\\n. \\\n0.0.117.0 \\\n, \\\n0.0.118.0 \\\n. \\\n0.0.118.0 \\\n, \\\n0.0.119.0 \\\n. \\\n0.0.119.0 \\\n, \\\n0.0.120.0 \\\n. \\\n0.0.120.0 \\\n, \\\n0.0.121.0 \\\n. \\\n0.0.121.0 \\\n, \\\n0.0.122.0 \\\n. \\\n0.0.122.0 \\\n, \\\n0.0.123.0 \\\n. \\\n0.0.123.0 \\\n, \\\n0.0.124.0 \\\n. \\\n0.0.124.0 \\\n, \\\n0.0.125.0 \\\n. \\\n0.0.125.0 \\\n, \\\n0.0.126.0 \\\n. \\\n0.0.126.0 \\\n, \\\n0.0.127.0 \\\n. \\\n0.0.127.0 \\\n, \\\n0.0.128.0 \\\n. \\\n0.0.128.0 \\\n, \\\n0.0.129.0 \\\n. \\\n0.0.129.0 \\\n, \\\n0.0.130.0 \\\n. \\\n0.0.130.0 \\\n, \\\n0.0.131.0 \\\n. \\\n0.0.131.0 \\\n, \\\n0.0.132.0 \\\n. \\\n0.0.132.0 \\\n, \\\n0.0.133.0 \\\n. \\\n0.0.133.0 \\\n, \\\n0.0.134.0 \\\n. \\\n0.0.134.0 \\\n, \\\n0.0.135.0 \\\n. \\\n0.0.135.0 \\\n, \\\n0.0.136.0 \\\n. \\\n0.0.136.0 \\\n, \\\n0.0.137.0 \\\n. \\\n0.0.137.0 \\\n, \\\n0.0.138.0 \\\n. \\\n0.0.138.0 \\\n, \\\n0.0.139.0 \\\n. \\\n0.0.139.0 \\\n, \\\n0.0.140.0 \\\n. \\\n0.0.140.0 \\\n, \\\n0.0.141.0 \\\n. \\\n0.0.141.0 \\\n, \\\n0.0.142.0 \\\n. \\\n0.0.142.0 \\\n, \\\n0.0.143.0 \\\n. \\\n0.0.143.0 \\\n, \\\n0.0.144.0 \\\n. \\\n0.0.144.0 \\\n, \\\n0.0.145.0 \\\n. \\\n0.0.145.0 \\\n, \\\n0.0.146.0 \\\n. \\\n0.0.146.0 \\\n, \\\n0.0.147.0 \\\n. \\\n0.0.147.0 \\\n, \\\n0.0.148.0 \\\n. \\\n0.0.148.0 \\\n, \\\n0.0.149.0 \\\n. \\\n0.0.149.0 \\\n, \\\n0.0.150.0 \\\n. \\\n0.0.150.0 \\\n, \\\n0.0.151.0 \\\n. \\\n0.0.151.0 \\\n, \\\n0.0.152.0 \\\n. \\\n0.0.152.0 \\\n, \\\n0.0.153.0 \\\n. \\\n0.0.153.0 \\\n, \\\n0.0.154.0 \\\n. \\\n0.0.154.0 \\\n, \\\n0.0.155.0 \\\n. \\\n0.0.155.0 \\\n, \\\n0.0.156.0 \\\n. \\\n0.0.156.0 \\\n, \\\n0.0.157.0 \\\n. \\\n0.0.157.0 \\\n, \\\n0.0.158.0 \\\n. \\\n0.0.158.0 \\\n, \\\n0.0.159.0 \\\n. \\\n0.0.159.0 \\\n, \\\n0.0.160.0 \\\n. \\\n0.0.160.0 \\\n, \\\n0.0.161.0 \\\n. \\\n0.0.161.0 \\\n, \\\n0.0.162.0 \\\n. \\\n0.0.162.0 \\\n, \\\n0.0.163.0 \\\n. \\\n0.0.163.0 \\\n, \\\n0.0.164.0 \\\n. \\\n0.0.164.0 \\\n, \\\n0.0.165.0 \\\n. \\\n0.0.165.0 \\\n, \\\n0.0.166.0 \\\n. \\\n0.0.166.0 \\\n, \\\n0.0.167.0 \\\n. \\\n0.0.167.0 \\\n, \\\n0.0.168.0 \\\n. \\\n0.0.168.0 \\\n, \\\n0.0.169.0 \\\n. \\\n0.0.169.0 \\\n, \\\n0.0.170.0 \\\n. \\\n0.0.170.0 \\\n, \\\n0.0.171.0 \\\n. \\\n0.0.171.0 \\\n, \\\n0.0.172.0 \\\n. \\\n0.0.172.0 \\\n, \\\n0.0.173.0 \\\n. \\\n0.0.173.0 \\\n, \\\n0.0.174.0 \\\n. \\\n0.0.174.0 \\\n, \\\n0.0.175.0 \\\n. \\\n0.0.175.0 \\\n, \\\n0.0.176.0 \\\n. \\\n0.0.176.0 \\\n, \\\n0.0.177.0 \\\n. \\\n0.0.177.0 \\\n, \\\n0.0.178.0 \\\n. \\\n0.0.178.0 \\\n, \\\n0.0.179.0 \\\n. \\\n0.0.179.0 \\\n, \\\n0.0.180.0 \\\n. \\\n0.0.180.0 \\\n, \\\n0.0.181.0 \\\n. \\\n0.0.181.0 \\\n, \\\n0.0.182.0 \\\n. \\\n0.0.182.0 \\\n, \\\n0.0.183.0 \\\n. \\\n0.0.183.0 \\\n, \\\n0.0.184.0 \\\n. \\\n0.0.184.0 \\\n, \\\n0.0.185.0 \\\n. \\\n0.0.185.0 \\\n, \\\n0.0.186.0 \\\n. \\\n0.0.186.0 \\\n, \\\n0.0.187.0 \\\n. \\\n0.0.187.0 \\\n, \\\n0.0.188.0 \\\n. \\\n0.0.188.0 \\\n, \\\n0.0.189.0 \\\n. \\\n0.0.189.0 \\\n, \\\n0.0.190.0 \\\n. \\\n0.0.190.0 \\\n, \\\n0.0.191.0 \\\n. \\\n0.0.191.0 \\\n, \\\n0.0.192.0 \\\n. \\\n0.0.192.0 \\\n, \\\n0.0.193.0 \\\n. \\\n0.0.193.0 \\\n, \\\n0.0.194.0 \\\n. \\\n0.0.194.0 \\\n, \\\n0.0.195.0 \\\n. \\\n0.0.195.0 \\\n, \\\n0.0.196.0 \\\n. \\\n0.0.196.0 \\\n, \\\n0.0.197.0 \\\n. \\\n0.0.197.0 \\\n, \\\n0.0.198.0 \\\n. \\\n0.0.198.0 \\\n, \\\n0.0.199.0 \\\n. \\\n0.0.199.0 \\\n, \\\n0.0.200.0 \\\n. \\\n0.0.200.0 \\\n, \\\n0.0.201.0 \\\n. \\\n0.0.201.0 \\\n, \\\n0.0.202.0 \\\n. \\\n0.0.202.0 \\\n, \\\n0.0.203.0 \\\n. \\\n0.0.203.0 \\\n, \\\n0.0.204.0 \\\n. \\\n0.0.204.0 \\\n, \\\n0.0.205.0 \\\n. \\\n0.0.205.0 \\\n, \\\n0.0.206.0 \\\n. \\\n0.0.206.0 \\\n, \\\n0.0.207.0 \\\n. \\\n0.0.207.0 \\\n, \\\n0.0.208.0 \\\n. \\\n0.0.208.0 \\\n, \\\n0.0.209.0 \\\n. \\\n0.0.209.0 \\\n, \\\n0.0.210.0 \\\n. \\\n0.0.210.0 \\\n, \\\n0.0.211.0 \\\n. \\\n0.0.211.0 \\\n, \\\n0.0.212.0 \\\n. \\\n0.0.212.0 \\\n, \\\n0.0.213.0 \\\n. \\\n0.0.213.0 \\\n, \\\n0.0.214.0 \\\n. \\\n0.0.214.0 \\\n, \\\n0.0.215.0 \\\n. \\\n0.0.215.0 \\\n, \\\n0.0.216.0 \\\n. \\\n0.0.216.0 \\\n, \\\n0.0.217.0 \\\n. \\\n0.0.217.0 \\\n, \\\n0.0.218.0 \\\n. \\\n0.0.218.0 \\\n, \\\n0.0.219.0 \\\n. \\\n0.0.219.0 \\\n, \\\n0.0.220.0 \\\n. \\\n0.0.220.0 \\\n, \\\n0.0.221.0 \\\n. \\\n0.0.221.0 \\\n, \\\n0.0.222.0 \\\n. \\\n0.0.222.0 \\\n, \\\n0.0.223.0 \\\n. \\\n0.0.223.0 \\\n, \\\n0.0.224.0 \\\n. \\\n0.0.224.0 \\\n, \\\n0.0.225.0 \\\n. \\\n0.0.225.0 \\\n, \\\n0.0.226.0 \\\n. \\\n0.0.226.0 \\\n, \\\n0.0.227.0 \\\n. \\\n0.0.227.0 \\\n, \\\n0.0.228.0 \\\n. \\\n0.0.228.0 \\\n, \\\n0.0.229.0 \\\n. \\\n0.0.229.0 \\\n, \\\n0.0.230.0 \\\n. \\\n0.0.230.0 \\\n, \\\n0.0.231.0 \\\n. \\\n0.0.231.0 \\\n, \\\n0.0.232.0 \\\n. \\\n0.0.232.0 \\\n, \\\n0.0.233.0 \\\n. \\\n0.0.233.0 \\\n, \\\n0.0.234.0 \\\n. \\\n0.0.234.0 \\\n, \\\n0.0.235.0 \\\n. \\\n0.0.235.0 \\\n, \\\n0.0.236.0 \\\n. \\\n0.0.236.0 \\\n, \\\n0.0.237.0 \\\n. \\\n0.0.237.0 \\\n, \\\n0.0.238.0 \\\n. \\\n0.0.238.0 \\\n, \\\n0.0.239.0 \\\n. \\\n0.0.239.0 \\\n, \\\n0.0.240.0 \\\n. \\\n0.0.240.0 \\\n, \\\n0.0.241.0 \\\n. \\\n0.0.241.0 \\\n, \\\n0.0.242.0 \\\n. \\\n0.0.242.0 \\\n, \\\n0.0.243.0 \\\n. \\\n0.0.243.0 \\\n, \\\n0.0.244.0 \\\n. \\\n0.0.244.0 \\\n, \\\n0.0.245.0 \\\n. \\\n0.0.245.0 \\\n, \\\n0.0.246.0 \\\n. \\\n0.0.246.0 \\\n, \\\n0.0.247.0 \\\n. \\\n0.0.247.0 \\\n, \\\n0.0.248.0 \\\n. \\\n0.0.248.0 \\\n, \\\n0.0.249.0 \\\n. \\\n0.0.249.0 \\\n, \\\n0.0.250.0 \\\n. \\\n0.0.250.0 \\\n, \\\n0.0.251.0 \\\n. \\\n0.0.251.0 \\\n, \\\n0.0.252.0 \\\n. \\\n0.0.252.0 \\\n, \\\n0.0.253.0 \\\n. \\\n0.0.253.0 \\\n, \\\n0.0.254.0 \\\n. \\\n0.0.254.0 \\\n, \\\n0.0.255.0 \\\n. \\\n0.0.255.0 \\\n, \\\n0.0.0.0 \\\n. \\\n0.0.0.0 \\\n, \\\n0.0.0.1 \\\n. \\\n0.0.0.1 \\\n, \\\n0.0.0.2 \\\n. \\\n0.0.0.2 \\\n, \\\n0.0.0.3 \\\n. \\\n0.0.0.3 \\\n, \\\n0.0.0.4 \\\n. \\\n0.0.0.4 \\\n, \\\n0.0.0.5 \\\n. \\\n0.0.0.5 \\\n, \\\n0.0.0.6 \\\n. \\\n0.0.0.6 \\\n, \\\n0.0.0.7 \\\n. \\\n0.0.0.7 \\\n, \\\n0.0.0.8 \\\n. \\\n0.0.0.8 \\\n, \\\n0.0.0.9 \\\n. \\\n0.0.0.9 \\\n, \\\n0.0.0.10 \\\n. \\\n0.0.0.10 \\\n, \\\n0.0.0.11 \\\n. \\\n0.0.0.11 \\\n, \\\n0.0.0.12 \\\n. \\\n0.0.0.12 \\\n, \\\n0.0.0.13 \\\n. \\\n0.0.0.13 \\\n, \\\n0.0.0.14 \\\n. \\\n0.0.0.14 \\\n, \\\n0.0.0.15 \\\n. \\\n0.0.0.15 \\\n, \\\n0.0.0.16 \\\n. \\\n0.0.0.16 \\\n, \\\n0.0.0.17 \\\n. \\\n0.0.0.17 \\\n, \\\n0.0.0.18 \\\n. \\\n0.0.0.18 \\\n, \\\n0.0.0.19 \\\n. \\\n0.0.0.19 \\\n, \\\n0.0.0.20 \\\n. \\\n0.0.0.20 \\\n, \\\n0.0.0.21 \\\n. \\\n0.0.0.21 \\\n, \\\n0.0.0.22 \\\n. \\\n0.0.0.22 \\\n, \\\n0.0.0.23 \\\n. \\\n0.0.0.23 \\\n, \\\n0.0.0.24 \\\n. \\\n0.0.0.24 \\\n, \\\n0.0.0.25 \\\n. \\\n0.0.0.25 \\\n, \\\n0.0.0.26 \\\n. \\\n0.0.0.26 \\\n, \\\n0.0.0.27 \\\n. \\\n0.0.0.27 \\\n, \\\n0.0.0.28 \\\n. \\\n0.0.0.28 \\\n, \\\n0.0.0.29 \\\n. \\\n0.0.0.29 \\\n, \\\n0.0.0.30 \\\n. \\\n0.0.0.30 \\\n, \\\n0.0.0.31 \\\n. \\\n0.0.0.31 \\\n, \\\n0.0.0.32 \\\n. \\\n0.0.0.32 \\\n, \\\n0.0.0.33 \\\n. \\\n0.0.0.33 \\\n, \\\n0.0.0.34 \\\n. \\\n0.0.0.34 \\\n, \\\n0.0.0.35 \\\n. \\\n0.0.0.35 \\\n, \\\n0.0.0.36 \\\n. \\\n0.0.0.36 \\\n, \\\n0.0.0.37 \\\n. \\\n0.0.0.37 \\\n, \\\n0.0.0.38 \\\n. \\\n0.0.0.38 \\\n, \\\n0.0.0.39 \\\n. \\\n0.0.0.39 \\\n, \\\n0.0.0.40 \\\n. \\\n0.0.0.40 \\\n, \\\n0.0.0.41 \\\n. \\\n0.0.0.41 \\\n, \\\n0.0.0.42 \\\n. \\\n0.0.0.42 \\\n, \\\n0.0.0.43 \\\n. \\\n0.0.0.43 \\\n, \\\n0.0.0.44 \\\n. \\\n0.0.0.44 \\\n, \\\n0.0.0.45 \\\n. \\\n0.0.0.45 \\\n, \\\n0.0.0.46 \\\n. \\\n0.0.0.46 \\\n, \\\n0.0.0.47 \\\n. \\\n0.0.0.47 \\\n, \\\n0.0.0.48 \\\n. \\\n0.0.0.48 \\\n, \\\n0.0.0.49 \\\n. \\\n0.0.0.49 \\\n, \\\n0.0.0.50 \\\n. \\\n0.0.0.50 \\\n, \\\n0.0.0.51 \\\n. \\\n0.0.0.51 \\\n, \\\n0.0.0.52 \\\n. \\\n0.0.0.52 \\\n, \\\n0.0.0.53 \\\n. \\\n0.0.0.53 \\\n, \\\n0.0.0.54 \\\n. \\\n0.0.0.54 \\\n, \\\n0.0.0.55 \\\n. \\\n0.0.0.55 \\\n, \\\n0.0.0.56 \\\n. \\\n0.0.0.56 \\\n, \\\n0.0.0.57 \\\n. \\\n0.0.0.57 \\\n, \\\n0.0.0.58 \\\n. \\\n0.0.0.58 \\\n, \\\n0.0.0.59 \\\n. \\\n0.0.0.59 \\\n, \\\n0.0.0.60 \\\n. \\\n0.0.0.60 \\\n, \\\n0.0.0.61 \\\n. \\\n0.0.0.61 \\\n, \\\n0.0.0.62 \\\n. \\\n0.0.0.62 \\\n, \\\n0.0.0.63 \\\n. \\\n0.0.0.63 \\\n, \\\n0.0.0.64 \\\n. \\\n0.0.0.64 \\\n, \\\n0.0.0.65 \\\n. \\\n0.0.0.65 \\\n, \\\n0.0.0.66 \\\n. \\\n0.0.0.66 \\\n, \\\n0.0.0.67 \\\n. \\\n0.0.0.67 \\\n, \\\n0.0.0.68 \\\n. \\\n0.0.0.68 \\\n, \\\n0.0.0.69 \\\n. \\\n0.0.0.69 \\\n, \\\n0.0.0.70 \\\n. \\\n0.0.0.70 \\\n, \\\n0.0.0.71 \\\n. \\\n0.0.0.71 \\\n, \\\n0.0.0.72 \\\n. \\\n0.0.0.72 \\\n, \\\n0.0.0.73 \\\n. \\\n0.0.0.73 \\\n, \\\n0.0.0.74 \\\n. \\\n0.0.0.74 \\\n, \\\n0.0.0.75 \\\n. \\\n0.0.0.75 \\\n, \\\n0.0.0.76 \\\n. \\\n0.0.0.76 \\\n, \\\n0.0.0.77 \\\n. \\\n0.0.0.77 \\\n, \\\n0.0.0.78 \\\n. \\\n0.0.0.78 \\\n, \\\n0.0.0.79 \\\n. \\\n0.0.0.79 \\\n, \\\n0.0.0.80 \\\n. \\\n0.0.0.80 \\\n, \\\n0.0.0.81 \\\n. \\\n0.0.0.81 \\\n, \\\n0.0.0.82 \\\n. \\\n0.0.0.82 \\\n, \\\n0.0.0.83 \\\n. \\\n0.0.0.83 \\\n, \\\n0.0.0.84 \\\n. \\\n0.0.0.84 \\\n, \\\n0.0.0.85 \\\n. \\\n0.0.0.85 \\\n, \\\n0.0.0.86 \\\n. \\\n0.0.0.86 \\\n, \\\n0.0.0.87 \\\n. \\\n0.0.0.87 \\\n, \\\n0.0.0.88 \\\n. \\\n0.0.0.88 \\\n, \\\n0.0.0.89 \\\n. \\\n0.0.0.89 \\\n, \\\n0.0.0.90 \\\n. \\\n0.0.0.90 \\\n, \\\n0.0.0.91 \\\n. \\\n0.0.0.91 \\\n, \\\n0.0.0.92 \\\n. \\\n0.0.0.92 \\\n, \\\n0.0.0.93 \\\n. \\\n0.0.0.93 \\\n, \\\n0.0.0.94 \\\n. \\\n0.0.0.94 \\\n, \\\n0.0.0.95 \\\n. \\\n0.0.0.95 \\\n, \\\n0.0.0.96 \\\n. \\\n0.0.0.96 \\\n, \\\n0.0.0.97 \\\n. \\\n0.0.0.97 \\\n, \\\n0.0.0.98 \\\n. \\\n0.0.0.98 \\\n, \\\n0.0.0.99 \\\n. \\\n0.0.0.99 \\\n, \\\n0.0.0.100 \\\n. \\\n0.0.0.100 \\\n, \\\n0.0.0.101 \\\n. \\\n0.0.0.101 \\\n, \\\n0.0.0.102 \\\n. \\\n0.0.0.102 \\\n, \\\n0.0.0.103 \\\n. \\\n0.0.0.103 \\\n, \\\n0.0.0.104 \\\n. \\\n0.0.0.104 \\\n, \\\n0.0.0.105 \\\n. \\\n0.0.0.105 \\\n, \\\n0.0.0.106 \\\n. \\\n0.0.0.106 \\\n, \\\n0.0.0.107 \\\n. \\\n0.0.0.107 \\\n, \\\n0.0.0.108 \\\n. \\\n0.0.0.108 \\\n, \\\n0.0.0.109 \\\n. \\\n0.0.0.109 \\\n, \\\n0.0.0.110 \\\n. \\\n0.0.0.110 \\\n, \\\n0.0.0.111 \\\n. \\\n0.0.0.111 \\\n, \\\n0.0.0.112 \\\n. \\\n0.0.0.112 \\\n, \\\n0.0.0.113 \\\n. \\\n0.0.0.113 \\\n, \\\n0.0.0.114 \\\n. \\\n0.0.0.114 \\\n, \\\n0.0.0.115 \\\n. \\\n0.0.0.115 \\\n, \\\n0.0.0.116 \\\n. \\\n0.0.0.116 \\\n, \\\n0.0.0.117 \\\n. \\\n0.0.0.117 \\\n, \\\n0.0.0.118 \\\n. \\\n0.0.0.118 \\\n, \\\n0.0.0.119 \\\n. \\\n0.0.0.119 \\\n, \\\n0.0.0.120 \\\n. \\\n0.0.0.120 \\\n, \\\n0.0.0.121 \\\n. \\\n0.0.0.121 \\\n, \\\n0.0.0.122 \\\n. \\\n0.0.0.122 \\\n, \\\n0.0.0.123 \\\n. \\\n0.0.0.123 \\\n, \\\n0.0.0.124 \\\n. \\\n0.0.0.124 \\\n, \\\n0.0.0.125 \\\n. \\\n0.0.0.125 \\\n, \\\n0.0.0.126 \\\n. \\\n0.0.0.126 \\\n, \\\n0.0.0.127 \\\n. \\\n0.0.0.127 \\\n, \\\n0.0.0.128 \\\n. \\\n0.0.0.128 \\\n, \\\n0.0.0.129 \\\n. \\\n0.0.0.129 \\\n, \\\n0.0.0.130 \\\n. \\\n0.0.0.130 \\\n, \\\n0.0.0.131 \\\n. \\\n0.0.0.131 \\\n, \\\n0.0.0.132 \\\n. \\\n0.0.0.132 \\\n, \\\n0.0.0.133 \\\n. \\\n0.0.0.133 \\\n, \\\n0.0.0.134 \\\n. \\\n0.0.0.134 \\\n, \\\n0.0.0.135 \\\n. \\\n0.0.0.135 \\\n, \\\n0.0.0.136 \\\n. \\\n0.0.0.136 \\\n, \\\n0.0.0.137 \\\n. \\\n0.0.0.137 \\\n, \\\n0.0.0.138 \\\n. \\\n0.0.0.138 \\\n, \\\n0.0.0.139 \\\n. \\\n0.0.0.139 \\\n, \\\n0.0.0.140 \\\n. \\\n0.0.0.140 \\\n, \\\n0.0.0.141 \\\n. \\\n0.0.0.141 \\\n, \\\n0.0.0.142 \\\n. \\\n0.0.0.142 \\\n, \\\n0.0.0.143 \\\n. \\\n0.0.0.143 \\\n, \\\n0.0.0.144 \\\n. \\\n0.0.0.144 \\\n, \\\n0.0.0.145 \\\n. \\\n0.0.0.145 \\\n, \\\n0.0.0.146 \\\n. \\\n0.0.0.146 \\\n, \\\n0.0.0.147 \\\n. \\\n0.0.0.147 \\\n, \\\n0.0.0.148 \\\n. \\\n0.0.0.148 \\\n, \\\n0.0.0.149 \\\n. \\\n0.0.0.149 \\\n, \\\n0.0.0.150 \\\n. \\\n0.0.0.150 \\\n, \\\n0.0.0.151 \\\n. \\\n0.0.0.151 \\\n, \\\n0.0.0.152 \\\n. \\\n0.0.0.152 \\\n, \\\n0.0.0.153 \\\n. \\\n0.0.0.153 \\\n, \\\n0.0.0.154 \\\n. \\\n0.0.0.154 \\\n, \\\n0.0.0.155 \\\n. \\\n0.0.0.155 \\\n, \\\n0.0.0.156 \\\n. \\\n0.0.0.156 \\\n, \\\n0.0.0.157 \\\n. \\\n0.0.0.157 \\\n, \\\n0.0.0.158 \\\n. \\\n0.0.0.158 \\\n, \\\n0.0.0.159 \\\n. \\\n0.0.0.159 \\\n, \\\n0.0.0.160 \\\n. \\\n0.0.0.160 \\\n, \\\n0.0.0.161 \\\n. \\\n0.0.0.161 \\\n, \\\n0.0.0.162 \\\n. \\\n0.0.0.162 \\\n, \\\n0.0.0.163 \\\n. \\\n0.0.0.163 \\\n, \\\n0.0.0.164 \\\n. \\\n0.0.0.164 \\\n, \\\n0.0.0.165 \\\n. \\\n0.0.0.165 \\\n, \\\n0.0.0.166 \\\n. \\\n0.0.0.166 \\\n, \\\n0.0.0.167 \\\n. \\\n0.0.0.167 \\\n, \\\n0.0.0.168 \\\n. \\\n0.0.0.168 \\\n, \\\n0.0.0.169 \\\n. \\\n0.0.0.169 \\\n, \\\n0.0.0.170 \\\n. \\\n0.0.0.170 \\\n, \\\n0.0.0.171 \\\n. \\\n0.0.0.171 \\\n, \\\n0.0.0.172 \\\n. \\\n0.0.0.172 \\\n, \\\n0.0.0.173 \\\n. \\\n0.0.0.173 \\\n, \\\n0.0.0.174 \\\n. \\\n0.0.0.174 \\\n, \\\n0.0.0.175 \\\n. \\\n0.0.0.175 \\\n, \\\n0.0.0.176 \\\n. \\\n0.0.0.176 \\\n, \\\n0.0.0.177 \\\n. \\\n0.0.0.177 \\\n, \\\n0.0.0.178 \\\n. \\\n0.0.0.178 \\\n, \\\n0.0.0.179 \\\n. \\\n0.0.0.179 \\\n, \\\n0.0.0.180 \\\n. \\\n0.0.0.180 \\\n, \\\n0.0.0.181 \\\n. \\\n0.0.0.181 \\\n, \\\n0.0.0.182 \\\n. \\\n0.0.0.182 \\\n, \\\n0.0.0.183 \\\n. \\\n0.0.0.183 \\\n, \\\n0.0.0.184 \\\n. \\\n0.0.0.184 \\\n, \\\n0.0.0.185 \\\n. \\\n0.0.0.185 \\\n, \\\n0.0.0.186 \\\n. \\\n0.0.0.186 \\\n, \\\n0.0.0.187 \\\n. \\\n0.0.0.187 \\\n, \\\n0.0.0.188 \\\n. \\\n0.0.0.188 \\\n, \\\n0.0.0.189 \\\n. \\\n0.0.0.189 \\\n, \\\n0.0.0.190 \\\n. \\\n0.0.0.190 \\\n, \\\n0.0.0.191 \\\n. \\\n0.0.0.191 \\\n, \\\n0.0.0.192 \\\n. \\\n0.0.0.192 \\\n, \\\n0.0.0.193 \\\n. \\\n0.0.0.193 \\\n, \\\n0.0.0.194 \\\n. \\\n0.0.0.194 \\\n, \\\n0.0.0.195 \\\n. \\\n0.0.0.195 \\\n, \\\n0.0.0.196 \\\n. \\\n0.0.0.196 \\\n, \\\n0.0.0.197 \\\n. \\\n0.0.0.197 \\\n, \\\n0.0.0.198 \\\n. \\\n0.0.0.198 \\\n, \\\n0.0.0.199 \\\n. \\\n0.0.0.199 \\\n, \\\n0.0.0.200 \\\n. \\\n0.0.0.200 \\\n, \\\n0.0.0.201 \\\n. \\\n0.0.0.201 \\\n, \\\n0.0.0.202 \\\n. \\\n0.0.0.202 \\\n, \\\n0.0.0.203 \\\n. \\\n0.0.0.203 \\\n, \\\n0.0.0.204 \\\n. \\\n0.0.0.204 \\\n, \\\n0.0.0.205 \\\n. \\\n0.0.0.205 \\\n, \\\n0.0.0.206 \\\n. \\\n0.0.0.206 \\\n, \\\n0.0.0.207 \\\n. \\\n0.0.0.207 \\\n, \\\n0.0.0.208 \\\n. \\\n0.0.0.208 \\\n, \\\n0.0.0.209 \\\n. \\\n0.0.0.209 \\\n, \\\n0.0.0.210 \\\n. \\\n0.0.0.210 \\\n, \\\n0.0.0.211 \\\n. \\\n0.0.0.211 \\\n, \\\n0.0.0.212 \\\n. \\\n0.0.0.212 \\\n, \\\n0.0.0.213 \\\n. \\\n0.0.0.213 \\\n, \\\n0.0.0.214 \\\n. \\\n0.0.0.214 \\\n, \\\n0.0.0.215 \\\n. \\\n0.0.0.215 \\\n, \\\n0.0.0.216 \\\n. \\\n0.0.0.216 \\\n, \\\n0.0.0.217 \\\n. \\\n0.0.0.217 \\\n, \\\n0.0.0.218 \\\n. \\\n0.0.0.218 \\\n, \\\n0.0.0.219 \\\n. \\\n0.0.0.219 \\\n, \\\n0.0.0.220 \\\n. \\\n0.0.0.220 \\\n, \\\n0.0.0.221 \\\n. \\\n0.0.0.221 \\\n, \\\n0.0.0.222 \\\n. \\\n0.0.0.222 \\\n, \\\n0.0.0.223 \\\n. \\\n0.0.0.223 \\\n, \\\n0.0.0.224 \\\n. \\\n0.0.0.224 \\\n, \\\n0.0.0.225 \\\n. \\\n0.0.0.225 \\\n, \\\n0.0.0.226 \\\n. \\\n0.0.0.226 \\\n, \\\n0.0.0.227 \\\n. \\\n0.0.0.227 \\\n, \\\n0.0.0.228 \\\n. \\\n0.0.0.228 \\\n, \\\n0.0.0.229 \\\n. \\\n0.0.0.229 \\\n, \\\n0.0.0.230 \\\n. \\\n0.0.0.230 \\\n, \\\n0.0.0.231 \\\n. \\\n0.0.0.231 \\\n, \\\n0.0.0.232 \\\n. \\\n0.0.0.232 \\\n, \\\n0.0.0.233 \\\n. \\\n0.0.0.233 \\\n, \\\n0.0.0.234 \\\n. \\\n0.0.0.234 \\\n, \\\n0.0.0.235 \\\n. \\\n0.0.0.235 \\\n, \\\n0.0.0.236 \\\n. \\\n0.0.0.236 \\\n, \\\n0.0.0.237 \\\n. \\\n0.0.0.237 \\\n, \\\n0.0.0.238 \\\n. \\\n0.0.0.238 \\\n, \\\n0.0.0.239 \\\n. \\\n0.0.0.239 \\\n, \\\n0.0.0.240 \\\n. \\\n0.0.0.240 \\\n, \\\n0.0.0.241 \\\n. \\\n0.0.0.241 \\\n, \\\n0.0.0.242 \\\n. \\\n0.0.0.242 \\\n, \\\n0.0.0.243 \\\n. \\\n0.0.0.243 \\\n, \\\n0.0.0.244 \\\n. \\\n0.0.0.244 \\\n, \\\n0.0.0.245 \\\n. \\\n0.0.0.245 \\\n, \\\n0.0.0.246 \\\n. \\\n0.0.0.246 \\\n, \\\n0.0.0.247 \\\n. \\\n0.0.0.247 \\\n, \\\n0.0.0.248 \\\n. \\\n0.0.0.248 \\\n, \\\n0.0.0.249 \\\n. \\\n0.0.0.249 \\\n, \\\n0.0.0.250 \\\n. \\\n0.0.0.250 \\\n, \\\n0.0.0.251 \\\n. \\\n0.0.0.251 \\\n, \\\n0.0.0.252 \\\n. \\\n0.0.0.252 \\\n, \\\n0.0.0.253 \\\n. \\\n0.0.0.253 \\\n, \\\n0.0.0.254 \\\n. \\\n0.0.0.254 \\\n, \\\n0.0.0.255 \\\n. \\\n0.0.0.255 \\\n, \\\n'}'\n"
+    "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\nvmap-oif \\\n'{ type iface_index: verdict; }'\n"
+    "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\nvmap-iif \\\n'{ type iface_index: verdict; }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\npostrouting \\\n'{ type filter hook postrouting priority 0; policy accept;  }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\nprerouting \\\n'{ type filter hook prerouting priority 0; policy accept;  }'\n"
+    "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\npostrouting \\\noif \\\nvmap \\\n@vmap-oif\n"
+    "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\nprerouting \\\niif \\\nvmap \\\n@vmap-iif\n"
+    "nft \\\nadd \\\ntable \\\nbridge \\\nlibvirt_nwfilter_inet \\\n'{ comment \"Managed by libvirt for network filters: https://libvirt.org/firewall.html#the-network-filter-driver\"; }'\n"
+    "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt_nwfilter_inet \\\nvmap-oif \\\n'{ type iface_index: verdict; }'\n",
+    "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt_nwfilter_inet \\\nvmap-iif \\\n'{ type iface_index: verdict; }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_inet \\\npostrouting \\\n'{ type filter hook postrouting priority 1; policy accept;  }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_inet \\\nprerouting \\\n'{ type filter hook prerouting priority 1; policy accept;  }'\n"
+    "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt_nwfilter_inet \\\npostrouting \\\noif \\\nvmap \\\n@vmap-oif\n"
+    "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt_nwfilter_inet \\\nprerouting \\\niif \\\nvmap \\\n@vmap-iif\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\nn-vnet0-in \\\n'{ }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_inet \\\nn-vnet0-in \\\n'{ }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\nn-vnet0-out \\\n'{ }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_inet \\\nn-vnet0-out \\\n'{ }'\n",
+};
+
+
+static GHashTable *
+virNWFilterCreateVarsFrom(GHashTable *vars1,
+                          GHashTable *vars2)
+{
+    g_autoptr(GHashTable) res = virHashNew(virNWFilterVarValueHashFree);
+
+    if (virNWFilterHashTablePutAll(vars1, res) < 0)
+        return NULL;
+
+    if (virNWFilterHashTablePutAll(vars2, res) < 0)
+        return NULL;
+
+    return g_steal_pointer(&res);
+}
+
+
+static void
+virNWFilterRuleInstFree(virNWFilterRuleInst *inst)
+{
+    if (!inst)
+        return;
+
+    g_clear_pointer(&inst->vars, g_hash_table_unref);
+    g_free(inst);
+}
+
+
+static void
+virNWFilterInstReset(virNWFilterInst *inst)
+{
+    size_t i;
+
+    for (i = 0; i < inst->nfilters; i++)
+        virNWFilterDefFree(inst->filters[i]);
+    VIR_FREE(inst->filters);
+    inst->nfilters = 0;
+
+    for (i = 0; i < inst->nrules; i++)
+        virNWFilterRuleInstFree(inst->rules[i]);
+    VIR_FREE(inst->rules);
+    inst->nrules = 0;
+}
+
+
+static int
+virNWFilterDefToInst(const char *xml,
+                     GHashTable *vars,
+                     virNWFilterInst *inst);
+
+static int
+virNWFilterRuleDefToRuleInst(virNWFilterDef *def,
+                             virNWFilterRuleDef *rule,
+                             GHashTable *vars,
+                             virNWFilterInst *inst)
+{
+    virNWFilterRuleInst *ruleinst;
+    int ret = -1;
+
+    ruleinst = g_new0(virNWFilterRuleInst, 1);
+
+    ruleinst->chainSuffix = def->chainsuffix;
+    ruleinst->chainPriority = def->chainPriority;
+    ruleinst->def = rule;
+    ruleinst->priority = rule->priority;
+    ruleinst->vars = virHashNew(virNWFilterVarValueHashFree);
+
+    if (virNWFilterHashTablePutAll(vars, ruleinst->vars) < 0)
+        goto cleanup;
+
+    VIR_APPEND_ELEMENT(inst->rules, inst->nrules, ruleinst);
+
+    ret = 0;
+ cleanup:
+    virNWFilterRuleInstFree(ruleinst);
+    return ret;
+}
+
+
+static int
+virNWFilterIncludeDefToRuleInst(virNWFilterIncludeDef *inc,
+                                GHashTable *vars,
+                                virNWFilterInst *inst)
+{
+    g_autoptr(GHashTable) tmpvars = NULL;
+    int ret = -1;
+    g_autofree char *xml = NULL;
+
+    xml = g_strdup_printf("%s/nwfilterxml2firewalldata/%s.xml", abs_srcdir,
+                          inc->filterref);
+
+    /* create a temporary hashmap for depth-first tree traversal */
+    if (!(tmpvars = virNWFilterCreateVarsFrom(inc->params,
+                                              vars)))
+        goto cleanup;
+
+    if (virNWFilterDefToInst(xml,
+                             tmpvars,
+                             inst) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    if (ret < 0)
+        virNWFilterInstReset(inst);
+    return ret;
+}
+
+static int
+virNWFilterDefToInst(const char *xml,
+                     GHashTable *vars,
+                     virNWFilterInst *inst)
+{
+    size_t i;
+    int ret = -1;
+    virNWFilterDef *def = virNWFilterDefParse(NULL, xml, 0);
+
+    if (!def)
+        return -1;
+
+    VIR_APPEND_ELEMENT_COPY(inst->filters, inst->nfilters, def);
+
+    for (i = 0; i < def->nentries; i++) {
+        if (def->filterEntries[i]->rule) {
+            if (virNWFilterRuleDefToRuleInst(def,
+                                             def->filterEntries[i]->rule,
+                                             vars,
+                                             inst) < 0)
+                goto cleanup;
+        } else if (def->filterEntries[i]->include) {
+            if (virNWFilterIncludeDefToRuleInst(def->filterEntries[i]->include,
+                                                vars,
+                                                inst) < 0)
+                goto cleanup;
+        }
+    }
+
+    ret = 0;
+ cleanup:
+    if (ret < 0)
+        virNWFilterInstReset(inst);
+    return ret;
+}
+
+
+static void testRemoveCommonRules(char *rules)
+{
+    size_t i;
+    char *offset = rules;
+
+    for (i = 0; i < G_N_ELEMENTS(commonRules); i++) {
+        char *tmp = strstr(offset, commonRules[i]);
+        size_t len = strlen(commonRules[i]);
+        if (tmp) {
+            memmove(tmp, tmp + len, (strlen(tmp) + 1) - len);
+            offset = tmp;
+        }
+    }
+}
+
+
+static int testSetOneParameter(GHashTable *vars,
+                               const char *name,
+                               const char *value)
+{
+    virNWFilterVarValue *val;
+
+    if ((val = virHashLookup(vars, name)) == NULL) {
+        val = virNWFilterVarValueCreateSimpleCopyValue(value);
+        if (!val)
+            return -1;
+        if (virHashUpdateEntry(vars, name, val) < 0) {
+            virNWFilterVarValueFree(val);
+            return -1;
+        }
+    } else {
+        if (virNWFilterVarValueAddValueCopy(val, value) < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+static int testSetDefaultParameters(GHashTable *vars)
+{
+    if (testSetOneParameter(vars, "IPSETNAME", "tck_test") < 0 ||
+        testSetOneParameter(vars, "A", "1.1.1.1") ||
+        testSetOneParameter(vars, "A", "2.2.2.2") ||
+        testSetOneParameter(vars, "A", "3.3.3.3") ||
+        testSetOneParameter(vars, "A", "3.3.3.3") ||
+        testSetOneParameter(vars, "B", "80") ||
+        testSetOneParameter(vars, "B", "90") ||
+        testSetOneParameter(vars, "B", "80") ||
+        testSetOneParameter(vars, "B", "80") ||
+        testSetOneParameter(vars, "C", "1080") ||
+        testSetOneParameter(vars, "C", "1090") ||
+        testSetOneParameter(vars, "C", "1100") ||
+        testSetOneParameter(vars, "C", "1110"))
+        return -1;
+    return 0;
+}
+
+static void
+testCommandDryRunCallback(const char *const*args,
+                          const char *const*env G_GNUC_UNUSED,
+                          const char *input G_GNUC_UNUSED,
+                          char **output,
+                          char **error G_GNUC_UNUSED,
+                          int *status,
+                          void *opaque G_GNUC_UNUSED)
+{
+    if (STRNEQ(args[0], "nft")) {
+        return;
+    }
+
+    /* simulate an empty existing set rules */
+    if (STREQ(args[1], "list") && STREQ(args[2], "tables")) {
+        *output = g_strdup("table nothing\n");
+        *status = EXIT_SUCCESS;
+    } else if (STREQ(args[1], "list") && STREQ(args[2], "chains")) {
+        *output = g_strdup("chain nothing\n");
+        *status = EXIT_SUCCESS;
+    }
+}
+
+static int testCompareXMLToArgvFiles(const char *xml,
+                                     const char *cmdline)
+{
+    g_autofree char *actualargv = NULL;
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    g_autoptr(GHashTable) vars = virHashNew(virNWFilterVarValueHashFree);
+    virNWFilterInst inst = { 0 };
+    int ret = -1;
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, true, true, testCommandDryRunCallback, NULL);
+
+    if (testSetDefaultParameters(vars) < 0)
+        goto cleanup;
+
+    if (virNWFilterDefToInst(xml,
+                             vars,
+                             &inst) < 0)
+        goto cleanup;
+
+    if (nftables_driver.applyNewRules("vnet0", inst.rules, inst.nrules) < 0)
+        goto cleanup;
+
+    actualargv = virBufferContentAndReset(&buf);
+
+    testRemoveCommonRules(actualargv);
+
+    if (virTestCompareToFileFull(actualargv, cmdline, false) < 0)
+        goto cleanup;
+
+    ret = 0;
+
+ cleanup:
+    virNWFilterInstReset(&inst);
+    return ret;
+}
+
+struct testInfo {
+    const char *name;
+};
+
+
+static int
+testCompareXMLToIPTablesHelper(const void *data)
+{
+    int result = -1;
+    const struct testInfo *info = data;
+    g_autofree char *xml = NULL;
+    g_autofree char *args = NULL;
+
+    xml = g_strdup_printf("%s/nwfilterxml2firewalldata/%s.xml",
+                          abs_srcdir, info->name);
+
+    args = g_strdup_printf("%s/nwfilterxml2firewalldata/%s-%s.nftables.args",
+                           abs_srcdir, info->name, RULESTYPE);
+
+    result = testCompareXMLToArgvFiles(xml, args);
+
+    return result;
+}
+
+
+static int
+mymain(void)
+{
+    int ret = 0;
+
+# define DO_TEST(name) \
+    do { \
+        static struct testInfo info = { \
+            name, \
+        }; \
+        if (virTestRun("NWFilter XML-2-firewall " name, \
+                       testCompareXMLToIPTablesHelper, &info) < 0) \
+            ret = -1; \
+    } while (0)
+
+    DO_TEST("ah");
+    DO_TEST("ah-ipv6");
+    DO_TEST("all");
+    DO_TEST("all-ipv6");
+    DO_TEST("arp");
+    DO_TEST("comment");
+    DO_TEST("conntrack");
+    DO_TEST("esp");
+    DO_TEST("esp-ipv6");
+    DO_TEST("example-1");
+    DO_TEST("example-2");
+    DO_TEST("hex-data");
+    DO_TEST("icmp-direction2");
+    DO_TEST("icmp-direction3");
+    DO_TEST("icmp-direction");
+    DO_TEST("icmp");
+    DO_TEST("icmpv6");
+    DO_TEST("igmp");
+    DO_TEST("ip");
+    DO_TEST("ipt-no-macspoof");
+    DO_TEST("ipv6");
+    DO_TEST("iter1");
+    DO_TEST("iter2");
+    DO_TEST("iter3");
+    DO_TEST("mac");
+    DO_TEST("rarp");
+    DO_TEST("sctp");
+    DO_TEST("sctp-ipv6");
+    DO_TEST("stp");
+    DO_TEST("target2");
+    DO_TEST("target");
+    DO_TEST("tcp");
+    DO_TEST("tcp-ipv6");
+    DO_TEST("udp");
+    DO_TEST("udp-ipv6");
+    DO_TEST("udplite");
+    DO_TEST("udplite-ipv6");
+    DO_TEST("vlan");
+
+    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virfirewall"))
+
+#else /* ! defined (__linux__) */
+
+int main(void)
+{
+    return EXIT_AM_SKIP;
+}
+
+#endif /* ! defined (__linux__) */
-- 
2.43.0

    