[libvirt] [PATCH] [TCK] nwfilter: add test data for recently added extensions

Thursday, 7 October 2010

This patch adds more test data for the recently added comment and 
state attribute.

Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com&gt;

---
  scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall |   77 
+++++++++++++++
  scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall    |   22 ++++
  scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall    |   20 +++
  scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml      |   71 
+++++++++++++
  scripts/nwfilter/nwfilterxml2xmlin/example-1.xml         |   24 ++++
  scripts/nwfilter/nwfilterxml2xmlin/example-2.xml         |   37 +++++++
  6 files changed, 251 insertions(+)

Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml
===================================================================

--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml
@@ -0,0 +1,71 @@
+<filter name='tck-testcase'>
+ <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
+
+ <rule action='accept' direction='in'>
+ <mac protocolid='0x1234' comment='mac rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ip  srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+          dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+          srcipaddr='10.1.2.3' srcipmask='255.255.255.255'
+          dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+          protocol='udp'
+          srcportstart='0x123' srcportend='0x234'
+          dstportstart='0x3456' dstportend='0x4567'
+          dscp='0x32' comment='ip rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe'
+           dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80'
+           srcipaddr='::10.1.2.3' srcipmask='22'
+           dstipaddr='::10.1.2.3'
+           dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000'
+           protocol='tcp'
+           srcportstart='0x111' srcportend='400'
+           dstportstart='0x3333' dstportend='65535' comment='ipv6
rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+          dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+          hwtype='0x12'
+          protocoltype='0x56'
+          opcode='Request'
+          arpsrcmacaddr='1:2:3:4:5:6'
+          arpdstmacaddr='a:b:c:d:e:f'
+          comment='arp rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <udp srcmacaddr='1:2:3:4:5:6'
+          dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+          dscp='0x22'
+          srcportstart='0x123' srcportend='400'
+          dstportstart='0x234' dstportend='0x444'
+          comment='udp rule'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
+               srcipaddr='a:b:c::' srcipmask='128'
+               dscp='0x40'
+               srcportstart='0x20' srcportend='0x21'
+               dstportstart='0x100' dstportend='0x1111'
+               comment='tcp/ipv6 rule'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <udp-ipv6 comment='`ls`;${COLUMNS};$(ls);"test";&amp;&apos;3  

spaces&apos;'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <sctp-ipv6 comment='comment with lone &apos;, `, ", `, \, $x, and two  
spaces'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <ah-ipv6 comment='tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat &lt; 
${tmp}; rm -f ${tmp}'/>
+ </rule>
+
+</filter>
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
@@ -0,0 +1,77 @@
+#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep 
-v "^$"
+-i vnet0 -j libvirt-I-vnet0
+#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep 
-v "^$"
+-o vnet0 -j libvirt-O-vnet0
+#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v
"^$"
+-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 
10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 
13398:17767 -j ACCEPT
+-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d 
aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst 
::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp 
--ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT
+-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 
18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f 
-j ACCEPT
+#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v
"^$"
+-p 0x1234 -j ACCEPT
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 
01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 
dpts:564:1092 state NEW,ESTABLISHED
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 
0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination
+ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            MAC 
01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 
dpts:564:1092
+#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in 
vnet0
+#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in 
vnet0
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV 
match --physdev-in vnet0
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out 
vnet0
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination
+RETURN     tcp      ::/0                 a:b:c::/128         /* 
tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED
+RETURN     udp      ::/0                 ::/0                /* 
`ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ state ESTABLISHED
+RETURN     sctp     ::/0                 ::/0                /* comment 
with lone ', `, ", `, \\, $x, and two  spaces */ state ESTABLISHED
+RETURN     ah       ::/0                 ::/0                /* 
tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ 
state ESTABLISHED
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination
+ACCEPT     tcp      a:b:c::/128          ::/0                MAC 
01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state 
NEW,ESTABLISHED
+ACCEPT     udp      ::/0                 ::/0                /* 
`ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ state NEW,ESTABLISHED
+ACCEPT     sctp     ::/0                 ::/0                /* comment 
with lone ', `, ", `, \\, $x, and two  spaces */ state NEW,ESTABLISHED
+ACCEPT     ah       ::/0                 ::/0                /* 
tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ 
state NEW,ESTABLISHED
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination
+ACCEPT     tcp      ::/0                 a:b:c::/128         /* 
tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33
+ACCEPT     udp      ::/0                 ::/0                /* 
`ls`;${COLUMNS};$(ls);"test";&'3   spaces' */
+ACCEPT     sctp     ::/0                 ::/0                /* comment 
with lone ', `, ", `, \\, $x, and two  spaces */
+ACCEPT     ah       ::/0                 ::/0                /* 
tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
+#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
+#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
+#ip6tables -L libvirt-in-post -n | grep vnet0
+ACCEPT     all      ::/0                 ::/0                PHYSDEV 
match --physdev-in vnet0
+#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0
+#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in 
vnet0
+#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in 
vnet0
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV 
match --physdev-in vnet0
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out 
vnet0
+#ip6tables -L INPUT -n --line-numbers | grep libvirt
+1    libvirt-host-in  all      ::/0                 ::/0
+#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
+#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
+#ip6tables -L libvirt-in-post -n | grep vnet0
+ACCEPT     all      ::/0                 ::/0                PHYSDEV 
match --physdev-in vnet0
+#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
@@ -0,0 +1,22 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination
+RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22 
state ESTABLISHED
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state 
ESTABLISHED
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state 
ESTABLISHED
+DROP       all  --  0.0.0.0/0            0.0.0.0/0
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination
+ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
state NEW,ESTABLISHED
+ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
NEW,ESTABLISHED
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
NEW,ESTABLISHED
+DROP       all  --  0.0.0.0/0            0.0.0.0/0
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination
+ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22
+ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
+DROP       all  --  0.0.0.0/0            0.0.0.0/0
+
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/example-1.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/example-1.xml
@@ -0,0 +1,24 @@
+<filter name='tck-testcase'>
+ <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
+
+ <!-- allow incoming ssh connections -->
+ <rule action='accept' direction='in' priority='100'>
+ <tcp dstportstart='22'/>
+ </rule>
+
+ <!-- allow incoming ICMP (ping) packets -->
+ <rule action='accept' direction='in' priority='200'>
+ <icmp/>
+ </rule>
+
+ <!-- allow all outgoing traffic -->
+ <rule action='accept' direction='in' priority='300'>
+ <all/>
+ </rule>
+
+ <!-- drop all other traffic -->
+ <rule action='drop' direction='inout' priority='1000'>
+ <all/>
+ </rule>
+
+</filter>
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/example-2.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/example-2.xml
@@ -0,0 +1,37 @@
+<filter name='tck-testcase'>
+ <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
+
+ <!-- VM outgoing: allow all established and related connections -->
+ <rule action='accept' direction='out' priority='100'>
+ <all state='ESTABLISHED,RELATED'
+         comment='out: existing and related (ftp) connections'/>
+ </rule>
+
+ <!-- VM incoming: allow all established connections -->
+ <rule action='accept' direction='in' priority='100'>
+ <all state='ESTABLISHED'
+         comment='in: existing connections'/>
+ </rule>
+
+ <!-- allow incoming ssh and ftp traffic -->
+ <rule action='accept' direction='in' priority='200'>
+ <tcp dstportstart='21' dstportend='22' state='NEW'
+         comment='in: ftp and ssh'/>
+ </rule>
+
+ <!-- allow incoming ICMP (ping) packets -->
+ <rule action='accept' direction='in' priority='300'>
+ <icmp state='NEW' comment='in: icmp'/>
+ </rule>
+
+ <!-- allow outgong DNS lookups -->
+ <rule action='accept' direction='out' priority='300'>
+ <udp dstportstart='53' state='NEW' comment='out: DNS
lookups'/>
+ </rule>
+
+ <!-- drop all other traffic -->
+ <rule action='drop' direction='inout' priority='1000'>
+ <all comment='inout: drop all non-accepted traffic'/>
+ </rule>
+
+</filter>
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall
@@ -0,0 +1,20 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0           /* out: 
existing and related (ftp) connections */ state RELATED,ESTABLISHED
+RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           /* out: 
DNS lookups */ udp dpt:53 state NEW
+DROP       all  --  0.0.0.0/0            0.0.0.0/0           /* inout: 
drop all non-accepted traffic */
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           /* in: 
existing connections */ state ESTABLISHED
+ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           /* in: ftp 
and ssh */ tcp dpts:21:22 state NEW
+ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           /* in: 
icmp */ state NEW
+DROP       all  --  0.0.0.0/0            0.0.0.0/0           /* inout: 
drop all non-accepted traffic */
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0           /* out: 
existing and related (ftp) connections */ state RELATED,ESTABLISHED
+RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           /* out: 
DNS lookups */ udp dpt:53 state NEW
+DROP       all  --  0.0.0.0/0            0.0.0.0/0           /* inout: 
drop all non-accepted traffic */
+


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH] [TCK] nwfilter: add test data for recently added extensions