[libvirt] [PATCH] Remove illegal values in nwfilter test XML/firewall files

Thursday, 27 March 2014

A number of the nwfilter XML files have attribute values
which are out of range. Previously the libvirt nwfilter
XML parser would silently ignore illegal values, causing
them to default to 0. This resulted in creating incorrect
iptables rules, which the TCK suite then validated as
correct. Current libvirt returns a hard error for illegal
XML values. To address this we either change the attribute
values to be valid, or delete the bogus rules entirely if
they are duplicates of other existing valid rules.

Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com&gt;
---
 scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall      | 1 -
 scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall  | 6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall | 6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall     | 3 ---
 scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall   | 4 +---
 scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall       | 4 +---
 scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall      | 1 -
 scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall     | 1 -
 scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall | 6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/vlan-test.fwall     | 1 -
 scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml       | 2 +-
 scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml      | 2 +-
 scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml           | 5 -----
 scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml       | 2 +-
 scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml      | 2 +-
 scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml      | 2 +-
 scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml          | 5 -----
 scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml        | 4 ++--
 scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml            | 8 +-------
 scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml          | 2 +-
 scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml           | 4 ----
 scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml          | 5 -----
 scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml     | 4 ++--
 scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml          | 2 +-
 scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml      | 4 ++--
 scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml           | 2 +-
 scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml      | 6 +++---
 scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml           | 2 +-
 scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml  | 2 +-
 scripts/nwfilter/nwfilterxml2xmlin/vlan-test.xml          | 7 -------
 30 files changed, 31 insertions(+), 74 deletions(-)

diff --git a/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall
b/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall
index 6ff4eb9..34174a0 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall
@@ -3,7 +3,6 @@
 -p ARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT 
 -p ARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT 
 -p ARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT 
--p ARP -s 1:2:3:4:5:6 -j ACCEPT 
 #ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v
"^$"
 -p ARP --arp-gratuitous -j ACCEPT 
 #ebtables -t nat -L PREROUTING | grep vnet0
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
b/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
index 6ef30a5..842f3bb 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
@@ -31,21 +31,21 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out
vnet0 --p
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp      ::/0                 a:b:c::/128         tcp spts:256:4369 dpts:32:33
state ESTABLISHED ctdir ORIGINAL/* tcp/ipv6 rule */ 
+RETURN     tcp      ::/0                 a:b:c::/128         DSCP match 0x39 tcp
spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL/* tcp/ipv6 rule */ 
 RETURN     udp      ::/0                 ::/0                state ESTABLISHED ctdir
ORIGINAL/* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ 
 RETURN     sctp     ::/0                 ::/0                state ESTABLISHED ctdir
ORIGINAL/* comment with lone ', `, ", `, \, $x, and two  spaces */ 
 RETURN     ah       ::/0                 ::/0                state ESTABLISHED ctdir
ORIGINAL/* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ 
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 tcp
spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY/* tcp/ipv6 rule */ 
+ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP
match 0x39 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY/* tcp/ipv6 rule
*/ 
 ACCEPT     udp      ::/0                 ::/0                state NEW,ESTABLISHED ctdir
REPLY/* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ 
 ACCEPT     sctp     ::/0                 ::/0                state NEW,ESTABLISHED ctdir
REPLY/* comment with lone ', `, ", `, \, $x, and two  spaces */ 
 ACCEPT     ah       ::/0                 ::/0                state NEW,ESTABLISHED ctdir
REPLY/* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ 
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp      ::/0                 a:b:c::/128         tcp spts:256:4369 dpts:32:33
state ESTABLISHED ctdir ORIGINAL/* tcp/ipv6 rule */ 
+RETURN     tcp      ::/0                 a:b:c::/128         DSCP match 0x39 tcp
spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL/* tcp/ipv6 rule */ 
 RETURN     udp      ::/0                 ::/0                state ESTABLISHED ctdir
ORIGINAL/* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ 
 RETURN     sctp     ::/0                 ::/0                state ESTABLISHED ctdir
ORIGINAL/* comment with lone ', `, ", `, \, $x, and two  spaces */ 
 RETURN     ah       ::/0                 ::/0                state ESTABLISHED ctdir
ORIGINAL/* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ 
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
b/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
index 66b0b71..2ed979e 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
@@ -31,15 +31,15 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out
vnet0 --p
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp      ::/0                 a:b:c::/128         tcp spts:256:4369 dpts:32:33
state ESTABLISHED ctdir ORIGINAL
+RETURN     tcp      ::/0                 a:b:c::/128         DSCP match 0x39 tcp
spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 tcp
spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP
match 0x39 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp      ::/0                 a:b:c::/128         tcp spts:256:4369 dpts:32:33
state ESTABLISHED ctdir ORIGINAL
+RETURN     tcp      ::/0                 a:b:c::/128         DSCP match 0x39 tcp
spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 
 #ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
b/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
index e5f84e5..afdd95b 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
@@ -2,17 +2,14 @@
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
 RETURN     icmp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP
match 0x02icmp type 12 code 11 state NEW,ESTABLISHED 
-RETURN     icmp --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
 ACCEPT     icmp --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP
match 0x21icmp type 255 code 255 state NEW,ESTABLISHED 
-ACCEPT     icmp --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
 RETURN     icmp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP
match 0x02icmp type 12 code 11 state NEW,ESTABLISHED 
-RETURN     icmp --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
b/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
index ed8eee0..4749f84 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
@@ -2,17 +2,15 @@
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
 RETURN     icmpv6    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP
match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED 
-RETURN     icmpv6    ::/0                 ::10.1.2.3/128      DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
 ACCEPT     icmpv6    a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP
match 0x21ipv6-icmp type 255 code 255 state NEW,ESTABLISHED 
-ACCEPT     icmpv6    ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     icmpv6    ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP
match 0x21ipv6-icmp type 255 code 255 state NEW,ESTABLISHED
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
 RETURN     icmpv6    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP
match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED 
-RETURN     icmpv6    ::/0                 ::10.1.2.3/128      DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall
b/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall
index f3cd49b..dbd6497 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall
@@ -5,8 +5,6 @@
 #ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v
"^$"
 -p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3
--ip-proto udp --ip-sport 20:22 --ip-dport 100:101 -j ACCEPT 
 -p IPv4 --ip-src 10.1.0.0/17 --ip-dst 10.1.2.0/24 --ip-tos 0x3F --ip-proto udp -j ACCEPT

--p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.3 -j ACCEPT 
 #ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v
"^$"
--p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.0/25 --ip-proto 255 -j ACCEPT 
--p IPv4 --ip-src 10.1.2.3 --ip-dst 10.1.2.2/31 -j ACCEPT 
+-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.0/25 --ip-tos 0x3F --ip-proto 255 -j ACCEPT

 
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall
b/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall
index 2dd7952..bb00629 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall
@@ -7,6 +7,5 @@
 #ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v
"^$"
 -p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT 
 -p 0x600 -d aa:bb:cc:dd:ee:ff -j ACCEPT 
--d aa:bb:cc:dd:ee:ff -j ACCEPT 
 -p 0xffff -d aa:bb:cc:dd:ee:ff -j ACCEPT 
 
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall
b/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall
index 77d9806..e0d9c8c 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall
@@ -3,7 +3,6 @@
 -p RARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT 
 -p RARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT 
 -p RARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT 
--p RARP -s 1:2:3:4:5:6 -j ACCEPT 
 #ebtables -t nat -L PREROUTING | grep vnet0
 -i vnet0 -j libvirt-I-vnet0
 
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
b/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
index dd7b19c..0a75421 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
@@ -2,19 +2,19 @@
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
 RETURN     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
-RETURN     udp      ::/0                 ::/0                DSCP match 0x21udp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp      ::/0                 ::a:b:c/128         DSCP match 0x21udp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
 RETURN     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535
dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
 ACCEPT     udp      a:b:c::d:e:f/128     ::/0                DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
-ACCEPT     udp      ::/0                 ::/0                MAC 01:02:03:04:05:06 DSCP
match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     udp      ::a:b:c/128          ::/0                MAC 01:02:03:04:05:06 DSCP
match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
 ACCEPT     udp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP
match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
 RETURN     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
-RETURN     udp      ::/0                 ::/0                DSCP match 0x21udp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp      ::/0                 ::a:b:c/128         DSCP match 0x21udp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
 RETURN     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535
dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/vlan-test.fwall
b/scripts/nwfilter/nwfilterxml2fwallout/vlan-test.fwall
index 603f470..a2fbfd3 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/vlan-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/vlan-test.fwall
@@ -7,7 +7,6 @@
 -p 802_1Q -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --vlan-id 291 -j CONTINUE 
 -p 802_1Q -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --vlan-id 1234 -j RETURN 
 -p 802_1Q -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --vlan-id 291 -j DROP 
--p 802_1Q -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff -j ACCEPT 
 #ebtables -t nat -L PREROUTING | grep vnet0
 -i vnet0 -j libvirt-I-vnet0
 #ebtables -t nat -L POSTROUTING | grep vnet0
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml
index 07d1ffe..95ebbc9 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml
@@ -13,7 +13,7 @@
   </rule>
   <rule action='accept' direction='in'>
      <ah-ipv6 srcmacaddr='1:2:3:4:5:6'
-              srcipaddr='::10.1.2.3' srcipmask='129'
+              srcipaddr='::10.1.2.3' srcipmask='128'
               dscp='33'/>
   </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml
index eb39bc3..5cf3519 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml
@@ -13,7 +13,7 @@
   </rule>
   <rule action='accept' direction='in'>
      <all-ipv6 srcmacaddr='1:2:3:4:5:6'
-               srcipaddr='::10.1.2.3' srcipmask='129'
+               srcipaddr='::10.1.2.3' srcipmask='128'
                dscp='33'/>
   </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml
index 2e08b32..d0abf94 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml
@@ -26,11 +26,6 @@
           opcode='65535' hwtype='65535' protocoltype='65535'
/>
   </rule>
 
-  <rule action='accept' direction='out'>
-     <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
-          opcode='65536' hwtype='65536' protocoltype='65536'
/>
-  </rule>
-
   <rule action='accept' direction='in'>
      <arp gratuitous='true'/>
   </rule>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml
index af5c5cc..a154a17 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml
@@ -50,7 +50,7 @@
   <rule action='accept' direction='in'>
      <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
                srcipaddr='a:b:c::' srcipmask='128'
-               dscp='0x40'
+               dscp='0x39'
                srcportstart='0x20' srcportend='0x21'
                dstportstart='0x100' dstportend='0x1111'
                comment='tcp/ipv6 rule'/>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml
index 4dd9b98..295d0f9 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml
@@ -13,7 +13,7 @@
   </rule>
   <rule action='accept' direction='in'>
      <esp-ipv6 srcmacaddr='1:2:3:4:5:6'
-               srcipaddr='::10.1.2.3' srcipmask='129'
+               srcipaddr='::10.1.2.3' srcipmask='128'
                dscp='33'/>
   </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml
index d2da079..45df451 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml
@@ -48,7 +48,7 @@
   <rule action='accept' direction='in'>
      <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
                srcipaddr='a:b:c::' srcipmask='128'
-               dscp='0x40'
+               dscp='0x39'
                srcportstart='0x20' srcportend='0x21'
                dstportstart='0x100' dstportend='0x1111'/>
   </rule>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml
index 90f852b..fff5d42 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml
@@ -10,9 +10,4 @@
            srcipaddr='10.1.2.3' srcipmask='22'
            dscp='33' type='255' code='255'/>
   </rule>
-  <rule action='accept' direction='in'>
-     <icmp srcmacaddr='1:2:3:4:5:6'
-           srcipaddr='10.1.2.3' srcipmask='22'
-           dscp='33' type='256' code='256'/>
-  </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml
index 01dc6e2..9d24826 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml
@@ -13,7 +13,7 @@
   </rule>
   <rule action='accept' direction='in'>
      <icmpv6 srcmacaddr='1:2:3:4:5:6'
-             srcipaddr='::10.1.2.3' srcipmask='129'
-             dscp='33' type='256' code='256'/>
+             srcipaddr='::10.1.2.3' srcipmask='128'
+             dscp='33' type='255' code='255'/>
   </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml
index 0a744a2..da362a1 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml
@@ -21,14 +21,8 @@
   <rule action='accept' direction='in'>
      <ip  srcipaddr='10.1.2.3' srcipmask='255.255.255.254'
           dstipaddr='10.1.2.3' dstipmask='255.255.255.128'
-          protocol='255' dscp='64'
+          protocol='255' dscp='63'
       />
   </rule>
 
-  <rule action='accept' direction='inout'>
-     <ip  srcipaddr='10.1.2.3' srcipmask='255.255.255.127'
-          dstipaddr='10.1.2.3' dstipmask='255.255.255.254'
-          protocol='256' dscp='64'
-      />
-  </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml
index 7fa7181..9f67bea 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml
@@ -28,7 +28,7 @@
            dstipmask='ffff:ffff:ffff:ffff:8000::'
            protocol='6'
            srcportstart='255' srcportend='256'
-           dstportstart='65535' dstportend='65536'
+           dstportstart='65535' dstportend='65535'
       />
   </rule>
 
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml
index 8f9565c..2aec935 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml
@@ -14,10 +14,6 @@
   </rule>
   <rule action='accept' direction='in'>
      <mac dstmacaddr='aa:bb:cc:dd:ee:ff'
dstmacmask='ff:ff:ff:ff:ff:ff'
-     protocolid='15'/>
-  </rule>
-  <rule action='accept' direction='in'>
-     <mac dstmacaddr='aa:bb:cc:dd:ee:ff'
dstmacmask='ff:ff:ff:ff:ff:ff'
      protocolid='65535'/>
   </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml
index 7b99df0..77c1127 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml
@@ -25,9 +25,4 @@
      <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
            opcode='65535' hwtype='65535' protocoltype='65535'
/>
   </rule>
-
-  <rule action='accept' direction='out'>
-     <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
-           opcode='65536' hwtype='65536' protocoltype='65536'
/>
-  </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml
index 99bf349..d1a57b8 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml
@@ -14,9 +14,9 @@
   </rule>
   <rule action='accept' direction='in'>
      <sctp-ipv6 srcmacaddr='1:2:3:4:5:6'
-                srcipaddr='::10.1.2.3' srcipmask='129'
+                srcipaddr='::10.1.2.3' srcipmask='128'
                 dscp='63'
                 srcportstart='255' srcportend='256'
-                dstportstart='65535' dstportend='65536'/>
+                dstportstart='65535' dstportend='65535'/>
   </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml
index c2f635b..c3c1000 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml
@@ -17,6 +17,6 @@
            srcipaddr='10.1.2.3' srcipmask='32'
            dscp='63'
            srcportstart='255' srcportend='256'
-           dstportstart='65535' dstportend='65536'/>
+           dstportstart='65535' dstportend='65535'/>
   </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml
index ecc1d30..d4f24f4 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml
@@ -14,9 +14,9 @@
   </rule>
   <rule action='accept' direction='in'>
      <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
-               srcipaddr='::10.1.2.3' srcipmask='129'
+               srcipaddr='::10.1.2.3' srcipmask='128'
                dscp='63'
                srcportstart='255' srcportend='256'
-               dstportstart='65535' dstportend='65536'/>
+               dstportstart='65535' dstportend='65535'/>
   </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml
index fc77683..14ebd35 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml
@@ -17,7 +17,7 @@
           srcipaddr='10.1.2.3' srcipmask='32'
           dscp='63'
           srcportstart='255' srcportend='256'
-          dstportstart='65535' dstportend='65536'/>
+          dstportstart='65535' dstportend='65535'/>
   </rule>
   <rule action='accept' direction='in'>
      <tcp state='NONE' flags='SYN/ALL'/>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml
index e8c6ba6..fd4f135 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml
@@ -7,16 +7,16 @@
   </rule>
   <rule action='accept' direction='in'>
      <udp-ipv6 srcmacaddr='1:2:3:4:5:6'
-               srcipaddr='a:b:c' srcipmask='128'
+               srcipaddr='::a:b:c' srcipmask='128'
                dscp='33'
                srcportstart='20' srcportend='21'
                dstportstart='100' dstportend='1111'/>
   </rule>
   <rule action='accept' direction='in'>
      <udp-ipv6 srcmacaddr='1:2:3:4:5:6'
-               srcipaddr='::10.1.2.3' srcipmask='129'
+               srcipaddr='::10.1.2.3' srcipmask='128'
                dscp='63'
                srcportstart='255' srcportend='256'
-               dstportstart='65535' dstportend='65536'/>
+               dstportstart='65535' dstportend='65535'/>
   </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml
index 10ce53d..359dfa2 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml
@@ -17,6 +17,6 @@
           srcipaddr='10.1.2.3' srcipmask='32'
           dscp='63'
           srcportstart='255' srcportend='256'
-          dstportstart='65535' dstportend='65536'/>
+          dstportstart='65535' dstportend='65535'/>
   </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml
index 0763a7d..5b941a2 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml
@@ -13,7 +13,7 @@
   </rule>
   <rule action='accept' direction='in'>
      <udplite-ipv6 srcmacaddr='1:2:3:4:5:6'
-               srcipaddr='::10.1.2.3' srcipmask='129'
+               srcipaddr='::10.1.2.3' srcipmask='128'
                dscp='33'/>
   </rule>
 </filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/vlan-test.xml
b/scripts/nwfilter/nwfilterxml2xmlin/vlan-test.xml
index 65ee04b..a5e7b38 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/vlan-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/vlan-test.xml
@@ -21,13 +21,6 @@
      />
   </rule>
 
-  <rule action='accept' direction='in'>
-     <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
-           dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
-           vlanid='0xffff'
-     />
-  </rule>
-
   <rule action='drop' direction='out'>
      <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
            dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
-- 
1.8.5.3


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH] Remove illegal values in nwfilter test XML/firewall files