[PATCH v5 29/30] network: rename chains used by network driver nftables backend

Friday, 17 May 2024

Because the chains added by the network driver nftables backend will
go into a table used only by libvirt, we don't need to have "libvirt"
in the chain names. Instead, we can make them more descriptive and
less abrasive (by using lower case, and using full words rather than
abbreviations).

Also (again because nobody else is using the private "libvirt_network"
table) we can directly put our rules into the input ("guest_to_host"),
output ("host_to_guest"), and postrouting ("guest_nat") chains rather
than creating a subordinate chain as done in the iptables backend.

Signed-off-by: Laine Stump <laine(a)redhat.com&gt;
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com&gt;
---
 src/network/network_nftables.c                | 30 ++++-----
 .../nat-default-linux.nftables                | 36 +++++-----
 .../nat-ipv6-linux.nftables                   | 58 ++++++++--------
 .../nat-ipv6-masquerade-linux.nftables        | 66 +++++++++----------
 .../nat-many-ips-linux.nftables               | 64 +++++++++---------
 .../nat-no-dhcp-linux.nftables                | 58 ++++++++--------
 .../nat-tftp-linux.nftables                   | 40 +++++------
 .../route-default-linux.nftables              | 26 ++++----
 8 files changed, 188 insertions(+), 190 deletions(-)

diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index ec9194a8b8..12a2d4c6ad 100644
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -40,12 +40,13 @@ VIR_LOG_INIT("network.nftables");
 
 #define VIR_FROM_THIS VIR_FROM_NONE
 
-#define VIR_NFTABLES_INPUT_CHAIN "LIBVIRT_INP"
-#define VIR_NFTABLES_OUTPUT_CHAIN "LIBVIRT_OUT"
-#define VIR_NFTABLES_FWD_IN_CHAIN "LIBVIRT_FWI"
-#define VIR_NFTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO"
-#define VIR_NFTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
-#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
+#define VIR_NFTABLES_INPUT_CHAIN "guest_to_host"
+#define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest"
+#define VIR_NFTABLES_FORWARD_CHAIN "forward"
+#define VIR_NFTABLES_FWD_IN_CHAIN "guest_input"
+#define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output"
+#define VIR_NFTABLES_FWD_X_CHAIN "guest_cross"
+#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "guest_nat"
 
 /* we must avoid using the standard "filter" table as used by
  * iptables, as any subsequent attempts to use iptables commands will
@@ -87,18 +88,15 @@ typedef struct {
 
 nftablesGlobalChain nftablesChains[] = {
     /* chains for filter rules */
-    {NULL, "INPUT", "{ type filter hook input priority 0; policy accept;
}"},
-    {NULL, "FORWARD", "{ type filter hook forward priority 0; policy
accept; }"},
-    {NULL, "OUTPUT", "{ type filter hook output priority 0; policy accept;
}"},
-    {"INPUT", VIR_NFTABLES_INPUT_CHAIN, NULL},
-    {"OUTPUT", VIR_NFTABLES_OUTPUT_CHAIN, NULL},
-    {"FORWARD", VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
-    {"FORWARD", VIR_NFTABLES_FWD_IN_CHAIN, NULL},
-    {"FORWARD", VIR_NFTABLES_FWD_X_CHAIN, NULL},
+    {NULL, VIR_NFTABLES_INPUT_CHAIN, "{ type filter hook input priority 0; policy
accept; }"},
+    {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0;
policy accept; }"},
+    {NULL, VIR_NFTABLES_OUTPUT_CHAIN, "{ type filter hook output priority 0; policy
accept; }"},
+    {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
+    {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_IN_CHAIN, NULL},
+    {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_X_CHAIN, NULL},
 
     /* chains for NAT rules */
-    {NULL, "POSTROUTING", "{ type nat hook postrouting priority 100;
policy accept; }"},
-    {"POSTROUTING",  VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL},
+    {NULL, VIR_NFTABLES_NAT_POSTROUTE_CHAIN, "{ type nat hook postrouting priority
100; policy accept; }"},
 };
 
 
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables
b/tests/networkxml2firewalldata/nat-default-linux.nftables
index 92b3dd7fc0..8b6e0ba406 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -152,7 +152,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -168,7 +168,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -183,7 +183,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -203,7 +203,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -237,7 +237,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
index f8317415cf..03fb7397cd 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -149,7 +149,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -159,7 +159,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -171,7 +171,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -184,7 +184,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -197,7 +197,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -210,7 +210,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -236,7 +236,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -249,7 +249,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -262,7 +262,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -278,7 +278,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -293,7 +293,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -313,7 +313,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -333,7 +333,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -347,7 +347,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -361,7 +361,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
@@ -374,7 +374,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 ip6 \
 daddr \
 2001:db8:ca2:2::/64 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index a15b38478b..012a3d5d47 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -149,7 +149,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -159,7 +159,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -171,7 +171,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -184,7 +184,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -197,7 +197,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -210,7 +210,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -236,7 +236,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -249,7 +249,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -262,7 +262,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -278,7 +278,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -293,7 +293,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -313,7 +313,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -333,7 +333,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -347,7 +347,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -361,7 +361,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
@@ -374,7 +374,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip6 \
@@ -390,7 +390,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
@@ -405,7 +405,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -425,7 +425,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -445,7 +445,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
index bd88ec9d83..029274ea06 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -152,7 +152,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -168,7 +168,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -183,7 +183,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -203,7 +203,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -237,7 +237,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -251,7 +251,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.128.0/24 \
@@ -264,7 +264,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -280,7 +280,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.128.0/24 \
@@ -295,7 +295,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -315,7 +315,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -335,7 +335,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.128.0/24 \
@@ -349,7 +349,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.128.0/24 \
@@ -363,7 +363,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.150.0/24 \
@@ -376,7 +376,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -392,7 +392,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.150.0/24 \
@@ -407,7 +407,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -427,7 +427,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -447,7 +447,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.150.0/24 \
@@ -461,7 +461,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.150.0/24 \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
index f8317415cf..03fb7397cd 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -149,7 +149,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -159,7 +159,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -171,7 +171,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -184,7 +184,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -197,7 +197,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -210,7 +210,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -236,7 +236,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -249,7 +249,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -262,7 +262,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -278,7 +278,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -293,7 +293,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -313,7 +313,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -333,7 +333,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -347,7 +347,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -361,7 +361,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
@@ -374,7 +374,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 ip6 \
 daddr \
 2001:db8:ca2:2::/64 \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
index a25935b831..dd84468ad6 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -120,7 +120,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -133,7 +133,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -143,7 +143,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -153,7 +153,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -165,7 +165,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -178,7 +178,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -194,7 +194,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -209,7 +209,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -229,7 +229,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -249,7 +249,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -263,7 +263,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables
b/tests/networkxml2firewalldata/route-default-linux.nftables
index 2337d50baf..c1cc8f05b1 100644
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -152,7 +152,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 ip \
 daddr \
 192.168.122.0/24 \
-- 
2.45.0

    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[PATCH v5 29/30] network: rename chains used by network driver nftables backend