11:19 a.m.
So far this will only affect what happens if there is some failure
while applying the firewall rules; the rollback rules aren't yet
persistent beyond that time. More work is needed to remember the
rollback rules while the network is active, and use those rules to
remove the firewall for the network when it is destroyed.
Note that the test case data changed because enabling auto-rollback
will cause the nftables backend to add "-ae" to each commandline in
order to retrieve the handle for the newly created table/chain/rule.
(in our simplistic unit-test world, the handle is always "5309").
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
src/network/bridge_driver_linux.c | 15 +----
.../nat-default-linux.nftables | 36 +++++-----
.../nat-ipv6-linux.nftables | 58 ++++++++--------
.../nat-ipv6-masquerade-linux.nftables | 66 +++++++++----------
.../nat-many-ips-linux.nftables | 64 +++++++++---------
.../nat-no-dhcp-linux.nftables | 58 ++++++++--------
.../nat-tftp-linux.nftables | 40 +++++------
.../route-default-linux.nftables | 26 ++++----
tests/networkxml2firewalltest.c | 9 ++-
9 files changed, 185 insertions(+), 187 deletions(-)
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 058cfa1d80..f6bae334aa 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -915,7 +915,7 @@ networkAddFirewallRules(virNetworkDef *def,
}
}
- virFirewallStartTransaction(fw, 0);
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK);
networkAddGeneralFirewallRules(fw, def);
@@ -926,17 +926,8 @@ networkAddFirewallRules(virNetworkDef *def,
return -1;
}
- virFirewallStartRollback(fw, 0);
-
- for (i = 0;
- (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
- i++) {
- if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0)
- return -1;
- }
- networkRemoveGeneralFirewallRules(fw, def);
-
- virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+ virFirewallStartTransaction(fw, (VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS
+ | VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK));
networkAddChecksumFirewallRules(fw, def);
return virFirewallApply(fw);
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables
b/tests/networkxml2firewalldata/nat-default-linux.nftables
index 7e01ceba97..7d3c767cc4 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -1,5 +1,5 @@
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -12,7 +12,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -25,7 +25,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -38,7 +38,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -51,7 +51,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -64,7 +64,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -77,7 +77,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -90,7 +90,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -103,7 +103,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -113,7 +113,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -123,7 +123,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -135,7 +135,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -148,7 +148,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -164,7 +164,7 @@ related,established \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -179,7 +179,7 @@ daddr \
counter \
masquerade
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -199,7 +199,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -219,7 +219,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -233,7 +233,7 @@ daddr \
counter \
return
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
index 3a75dfced7..1fcfd8f709 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -1,5 +1,5 @@
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -12,7 +12,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -25,7 +25,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -38,7 +38,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -51,7 +51,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -64,7 +64,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -77,7 +77,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -90,7 +90,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -103,7 +103,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -113,7 +113,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -123,7 +123,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -135,7 +135,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -145,7 +145,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -155,7 +155,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -167,7 +167,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -180,7 +180,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -193,7 +193,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -206,7 +206,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -219,7 +219,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -232,7 +232,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -245,7 +245,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -258,7 +258,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -274,7 +274,7 @@ related,established \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -289,7 +289,7 @@ daddr \
counter \
masquerade
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -309,7 +309,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -329,7 +329,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -343,7 +343,7 @@ daddr \
counter \
return
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -357,7 +357,7 @@ daddr \
counter \
return
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -370,7 +370,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index 5959a920ff..c0594e8817 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -1,5 +1,5 @@
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -12,7 +12,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -25,7 +25,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -38,7 +38,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -51,7 +51,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -64,7 +64,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -77,7 +77,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -90,7 +90,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -103,7 +103,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -113,7 +113,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -123,7 +123,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -135,7 +135,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -145,7 +145,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -155,7 +155,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -167,7 +167,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -180,7 +180,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -193,7 +193,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -206,7 +206,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -219,7 +219,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -232,7 +232,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -245,7 +245,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -258,7 +258,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -274,7 +274,7 @@ related,established \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -289,7 +289,7 @@ daddr \
counter \
masquerade
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -309,7 +309,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -329,7 +329,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -343,7 +343,7 @@ daddr \
counter \
return
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -357,7 +357,7 @@ daddr \
counter \
return
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -370,7 +370,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -386,7 +386,7 @@ related,established \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -401,7 +401,7 @@ daddr \
counter \
masquerade
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -421,7 +421,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -441,7 +441,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
index 7cf989e040..ac9b3fcfbb 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -1,5 +1,5 @@
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -12,7 +12,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -25,7 +25,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -38,7 +38,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -51,7 +51,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -64,7 +64,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -77,7 +77,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -90,7 +90,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -103,7 +103,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -113,7 +113,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -123,7 +123,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -135,7 +135,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -148,7 +148,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -164,7 +164,7 @@ related,established \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -179,7 +179,7 @@ daddr \
counter \
masquerade
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -199,7 +199,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -219,7 +219,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -233,7 +233,7 @@ daddr \
counter \
return
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -247,7 +247,7 @@ daddr \
counter \
return
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -260,7 +260,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -276,7 +276,7 @@ related,established \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -291,7 +291,7 @@ daddr \
counter \
masquerade
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -311,7 +311,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -331,7 +331,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -345,7 +345,7 @@ daddr \
counter \
return
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -359,7 +359,7 @@ daddr \
counter \
return
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -372,7 +372,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -388,7 +388,7 @@ related,established \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -403,7 +403,7 @@ daddr \
counter \
masquerade
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -423,7 +423,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -443,7 +443,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -457,7 +457,7 @@ daddr \
counter \
return
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
index 3a75dfced7..1fcfd8f709 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -1,5 +1,5 @@
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -12,7 +12,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -25,7 +25,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -38,7 +38,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -51,7 +51,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -64,7 +64,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -77,7 +77,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -90,7 +90,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -103,7 +103,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -113,7 +113,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -123,7 +123,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -135,7 +135,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -145,7 +145,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -155,7 +155,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -167,7 +167,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -180,7 +180,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -193,7 +193,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -206,7 +206,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -219,7 +219,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -232,7 +232,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -245,7 +245,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -258,7 +258,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -274,7 +274,7 @@ related,established \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -289,7 +289,7 @@ daddr \
counter \
masquerade
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -309,7 +309,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -329,7 +329,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -343,7 +343,7 @@ daddr \
counter \
return
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -357,7 +357,7 @@ daddr \
counter \
return
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
@@ -370,7 +370,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip6 \
libvirt \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
index 15ac92c46a..2102aa97bc 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -1,5 +1,5 @@
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -12,7 +12,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -25,7 +25,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -38,7 +38,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -51,7 +51,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -64,7 +64,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -77,7 +77,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -90,7 +90,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -103,7 +103,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -116,7 +116,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -129,7 +129,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -139,7 +139,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -149,7 +149,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -161,7 +161,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -174,7 +174,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -190,7 +190,7 @@ related,established \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -205,7 +205,7 @@ daddr \
counter \
masquerade
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -225,7 +225,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -245,7 +245,7 @@ masquerade \
to \
:1024-65535
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -259,7 +259,7 @@ daddr \
counter \
return
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables
b/tests/networkxml2firewalldata/route-default-linux.nftables
index f56cc2d0bc..834f6366ae 100644
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -1,5 +1,5 @@
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -12,7 +12,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -25,7 +25,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -38,7 +38,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -51,7 +51,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -64,7 +64,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -77,7 +77,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -90,7 +90,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -103,7 +103,7 @@ dport \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -113,7 +113,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -123,7 +123,7 @@ virbr0 \
counter \
reject
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -135,7 +135,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
@@ -148,7 +148,7 @@ virbr0 \
counter \
accept
nft \
-insert \
+-ae insert \
rule \
ip \
libvirt \
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index ab1c7b217d..6e9eca0832 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -79,7 +79,14 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED,
void *opaque G_GNUC_UNUSED)
{
*status = 0;
- *output = g_strdup("");
+ /* if arg[1] is -ae then this is an nft command,
+ * and the caller requested to get the handle
+ * of the newly added object in stdout
+ */
+ if (STREQ_NULLABLE(args[1], "-ae"))
+ *output = g_strdup("# handle 5309");
+ else
+ *output = g_strdup("");
*error = g_strdup("");
}
--
2.39.2