[libvirt] [PATCH] [TCK] nwfilter: add test data for recently added extensions

This patch adds more test data for the recently added comment and state attribute. Signed-off-by: Stefan Berger <stefanb@us.ibm.com> --- scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall | 77 +++++++++++++++ scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall | 22 ++++ scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall | 20 +++ scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml | 71 +++++++++++++ scripts/nwfilter/nwfilterxml2xmlin/example-1.xml | 24 ++++ scripts/nwfilter/nwfilterxml2xmlin/example-2.xml | 37 +++++++ 6 files changed, 251 insertions(+) Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml @@ -0,0 +1,71 @@ +<filter name='tck-testcase'> + <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid> + + <rule action='accept' direction='in'> + <mac protocolid='0x1234' comment='mac rule'/> + </rule> + + <rule action='accept' direction='out'> + <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + srcipaddr='10.1.2.3' srcipmask='255.255.255.255' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + protocol='udp' + srcportstart='0x123' srcportend='0x234' + dstportstart='0x3456' dstportend='0x4567' + dscp='0x32' comment='ip rule'/> + </rule> + + <rule action='accept' direction='out'> + <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80' + srcipaddr='::10.1.2.3' srcipmask='22' + dstipaddr='::10.1.2.3' + dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000' + protocol='tcp' + srcportstart='0x111' srcportend='400' + dstportstart='0x3333' dstportend='65535' comment='ipv6 rule'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='0x12' + protocoltype='0x56' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f' + comment='arp rule'/> + </rule> + + <rule action='accept' direction='out'> + <udp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='0x22' + srcportstart='0x123' srcportend='400' + dstportstart='0x234' dstportend='0x444' + comment='udp rule'/> + </rule> + + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='0x40' + srcportstart='0x20' srcportend='0x21' + dstportstart='0x100' dstportend='0x1111' + comment='tcp/ipv6 rule'/> + </rule> + + <rule action='accept' direction='in'> + <udp-ipv6 comment='`ls`;${COLUMNS};$(ls);"test";&'3 spaces''/> + </rule> + + <rule action='accept' direction='in'> + <sctp-ipv6 comment='comment with lone ', `, ", `, \, $x, and two spaces'/> + </rule> + + <rule action='accept' direction='in'> + <ah-ipv6 comment='tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}'/> + </rule> + +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall @@ -0,0 +1,77 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:17767 -j ACCEPT +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT +-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p 0x1234 -j ACCEPT +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 +#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED +RETURN udp ::/0 ::/0 /* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED +RETURN sctp ::/0 ::/0 /* comment with lone ', `, ", `, \\, $x, and two spaces */ state ESTABLISHED +RETURN ah ::/0 ::/0 /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED +ACCEPT udp ::/0 ::/0 /* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state NEW,ESTABLISHED +ACCEPT sctp ::/0 ::/0 /* comment with lone ', `, ", `, \\, $x, and two spaces */ state NEW,ESTABLISHED +ACCEPT ah ::/0 ::/0 /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 +ACCEPT udp ::/0 ::/0 /* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ +ACCEPT sctp ::/0 ::/0 /* comment with lone ', `, ", `, \\, $x, and two spaces */ +ACCEPT ah ::/0 ::/0 /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall @@ -0,0 +1,22 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 +DROP all -- 0.0.0.0/0 0.0.0.0/0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/example-1.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/example-1.xml @@ -0,0 +1,24 @@ +<filter name='tck-testcase'> + <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid> + + <!-- allow incoming ssh connections --> + <rule action='accept' direction='in' priority='100'> + <tcp dstportstart='22'/> + </rule> + + <!-- allow incoming ICMP (ping) packets --> + <rule action='accept' direction='in' priority='200'> + <icmp/> + </rule> + + <!-- allow all outgoing traffic --> + <rule action='accept' direction='in' priority='300'> + <all/> + </rule> + + <!-- drop all other traffic --> + <rule action='drop' direction='inout' priority='1000'> + <all/> + </rule> + +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/example-2.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/example-2.xml @@ -0,0 +1,37 @@ +<filter name='tck-testcase'> + <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid> + + <!-- VM outgoing: allow all established and related connections --> + <rule action='accept' direction='out' priority='100'> + <all state='ESTABLISHED,RELATED' + comment='out: existing and related (ftp) connections'/> + </rule> + + <!-- VM incoming: allow all established connections --> + <rule action='accept' direction='in' priority='100'> + <all state='ESTABLISHED' + comment='in: existing connections'/> + </rule> + + <!-- allow incoming ssh and ftp traffic --> + <rule action='accept' direction='in' priority='200'> + <tcp dstportstart='21' dstportend='22' state='NEW' + comment='in: ftp and ssh'/> + </rule> + + <!-- allow incoming ICMP (ping) packets --> + <rule action='accept' direction='in' priority='300'> + <icmp state='NEW' comment='in: icmp'/> + </rule> + + <!-- allow outgong DNS lookups --> + <rule action='accept' direction='out' priority='300'> + <udp dstportstart='53' state='NEW' comment='out: DNS lookups'/> + </rule> + + <!-- drop all other traffic --> + <rule action='drop' direction='inout' priority='1000'> + <all comment='inout: drop all non-accepted traffic'/> + </rule> + +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall @@ -0,0 +1,20 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* out: existing and related (ftp) connections */ state RELATED,ESTABLISHED +RETURN udp -- 0.0.0.0/0 0.0.0.0/0 /* out: DNS lookups */ udp dpt:53 state NEW +DROP all -- 0.0.0.0/0 0.0.0.0/0 /* inout: drop all non-accepted traffic */ +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* in: existing connections */ state ESTABLISHED +ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* in: ftp and ssh */ tcp dpts:21:22 state NEW +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 /* in: icmp */ state NEW +DROP all -- 0.0.0.0/0 0.0.0.0/0 /* inout: drop all non-accepted traffic */ +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* out: existing and related (ftp) connections */ state RELATED,ESTABLISHED +RETURN udp -- 0.0.0.0/0 0.0.0.0/0 /* out: DNS lookups */ udp dpt:53 state NEW +DROP all -- 0.0.0.0/0 0.0.0.0/0 /* inout: drop all non-accepted traffic */ +