[PATCH v5 25/30] tests: test cases for nftables backend

Friday, 17 May 2024

Run all the networkxml2firewall tests twice - once with iptables
backend, and once with the nftables backend.

The results files for the existing iptables tests were previously
named *.args. That has been changed to *.iptables, and the results
files for the new nftables tests are named *.nftables.

Signed-off-by: Laine Stump <laine(a)redhat.com&gt;
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com&gt;
---
 .../{base.args => base.iptables}              |   0
 tests/networkxml2firewalldata/base.nftables   | 256 ++++++++++
 ...-linux.args => nat-default-linux.iptables} |   0
 .../nat-default-linux.nftables                | 248 +++++++++
 ...pv6-linux.args => nat-ipv6-linux.iptables} |   0
 .../nat-ipv6-linux.nftables                   | 384 ++++++++++++++
 ...rgs => nat-ipv6-masquerade-linux.iptables} |   0
 .../nat-ipv6-masquerade-linux.nftables        | 456 +++++++++++++++++
 ...linux.args => nat-many-ips-linux.iptables} |   0
 .../nat-many-ips-linux.nftables               | 472 ++++++++++++++++++
 ...-linux.args => nat-no-dhcp-linux.iptables} |   0
 .../nat-no-dhcp-linux.nftables                | 384 ++++++++++++++
 ...ftp-linux.args => nat-tftp-linux.iptables} |   0
 .../nat-tftp-linux.nftables                   | 274 ++++++++++
 ...inux.args => route-default-linux.iptables} |   0
 .../route-default-linux.nftables              | 162 ++++++
 tests/networkxml2firewalltest.c               |  56 ++-
 17 files changed, 2678 insertions(+), 14 deletions(-)
 rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/base.nftables
 rename tests/networkxml2firewalldata/{nat-default-linux.args =>
nat-default-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables
 rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables}
(100%)
 create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables
 rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args =>
nat-ipv6-masquerade-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
 rename tests/networkxml2firewalldata/{nat-many-ips-linux.args =>
nat-many-ips-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables
 rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args =>
nat-no-dhcp-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
 rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables}
(100%)
 create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables
 rename tests/networkxml2firewalldata/{route-default-linux.args =>
route-default-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables

diff --git a/tests/networkxml2firewalldata/base.args
b/tests/networkxml2firewalldata/base.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/base.args
rename to tests/networkxml2firewalldata/base.iptables
diff --git a/tests/networkxml2firewalldata/base.nftables
b/tests/networkxml2firewalldata/base.nftables
new file mode 100644
index 0000000000..4f1f475a85
--- /dev/null
+++ b/tests/networkxml2firewalldata/base.nftables
@@ -0,0 +1,256 @@
+nft \
+list \
+table \
+ip \
+libvirt
+nft \
+add \
+table \
+ip \
+libvirt
+nft \
+add \
+chain \
+ip \
+libvirt \
+INPUT \
+'{ type filter hook input priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip \
+libvirt \
+FORWARD \
+'{ type filter hook forward priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip \
+libvirt \
+OUTPUT \
+'{ type filter hook output priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_INP
+nft \
+insert \
+rule \
+ip \
+libvirt \
+INPUT \
+counter \
+jump \
+LIBVIRT_INP
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_OUT
+nft \
+insert \
+rule \
+ip \
+libvirt \
+OUTPUT \
+counter \
+jump \
+LIBVIRT_OUT
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_FWO
+nft \
+insert \
+rule \
+ip \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWO
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_FWI
+nft \
+insert \
+rule \
+ip \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWI
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_FWX
+nft \
+insert \
+rule \
+ip \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWX
+nft \
+add \
+chain \
+ip \
+libvirt \
+POSTROUTING \
+'{ type nat hook postrouting priority 100; policy accept; }'
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_PRT
+nft \
+insert \
+rule \
+ip \
+libvirt \
+POSTROUTING \
+counter \
+jump \
+LIBVIRT_PRT
+nft \
+list \
+table \
+ip6 \
+libvirt
+nft \
+add \
+table \
+ip6 \
+libvirt
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+INPUT \
+'{ type filter hook input priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+FORWARD \
+'{ type filter hook forward priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+OUTPUT \
+'{ type filter hook output priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_INP
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+INPUT \
+counter \
+jump \
+LIBVIRT_INP
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_OUT
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+OUTPUT \
+counter \
+jump \
+LIBVIRT_OUT
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_FWO
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWO
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_FWI
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWI
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_FWX
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWX
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+POSTROUTING \
+'{ type nat hook postrouting priority 100; policy accept; }'
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_PRT
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+POSTROUTING \
+counter \
+jump \
+LIBVIRT_PRT
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/nat-default-linux.args
rename to tests/networkxml2firewalldata/nat-default-linux.iptables
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables
b/tests/networkxml2firewalldata/nat-default-linux.nftables
new file mode 100644
index 0000000000..2dafe078a1
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -0,0 +1,248 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/nat-ipv6-linux.args
rename to tests/networkxml2firewalldata/nat-ipv6-linux.iptables
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
new file mode 100644
index 0000000000..63d4d8e2a5
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -0,0 +1,384 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+547 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+546 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+ip6 \
+daddr \
+2001:db8:ca2:2::/64 \
+oifname \
+virbr0 \
+counter \
+accept
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args
rename to tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
new file mode 100644
index 0000000000..e6d5dea661
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -0,0 +1,456 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+547 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+546 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip6 \
+daddr \
+2001:db8:ca2:2::/64 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_PRT \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+'!=' \
+2001:db8:ca2:2::/64 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+'!=' \
+2001:db8:ca2:2::/64 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+'!=' \
+2001:db8:ca2:2::/64 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_PRT \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+ff02::/16 \
+counter \
+return
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args
b/tests/networkxml2firewalldata/nat-many-ips-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/nat-many-ips-linux.args
rename to tests/networkxml2firewalldata/nat-many-ips-linux.iptables
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
new file mode 100644
index 0000000000..e636916c7e
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -0,0 +1,472 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.128.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.128.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.150.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.150.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.150.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.150.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.150.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/nat-no-dhcp-linux.args
rename to tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
new file mode 100644
index 0000000000..63d4d8e2a5
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -0,0 +1,384 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+547 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+546 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+ip6 \
+daddr \
+2001:db8:ca2:2::/64 \
+oifname \
+virbr0 \
+counter \
+accept
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args
b/tests/networkxml2firewalldata/nat-tftp-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/nat-tftp-linux.args
rename to tests/networkxml2firewalldata/nat-tftp-linux.iptables
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
new file mode 100644
index 0000000000..bb0598d011
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -0,0 +1,274 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+69 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+69 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
diff --git a/tests/networkxml2firewalldata/route-default-linux.args
b/tests/networkxml2firewalldata/route-default-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/route-default-linux.args
rename to tests/networkxml2firewalldata/route-default-linux.iptables
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables
b/tests/networkxml2firewalldata/route-default-linux.nftables
new file mode 100644
index 0000000000..834f6366ae
--- /dev/null
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -0,0 +1,162 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+ip \
+daddr \
+192.168.122.0/24 \
+oifname \
+virbr0 \
+counter \
+accept
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index 082979e5dc..4cabe39d1d 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -79,13 +79,21 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED,
                   void *opaque G_GNUC_UNUSED)
 {
     *status = 0;
-    *output = g_strdup("");
+    /* if arg[1] is -ae then this is an nft command,
+     * and the caller requested to get the handle
+     * of the newly added object in stdout
+     */
+    if (STREQ_NULLABLE(args[1], "-ae"))
+        *output = g_strdup("# handle 5309");
+    else
+        *output = g_strdup("");
     *error = g_strdup("");
 }
 
 static int testCompareXMLToArgvFiles(const char *xml,
                                      const char *cmdline,
-                                     const char *baseargs)
+                                     const char *baseargs,
+                                     virFirewallBackend backend)
 {
     g_autofree char *actualargv = NULL;
     g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
@@ -98,7 +106,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
     if (!(def = virNetworkDefParse(NULL, xml, NULL, false)))
         return -1;
 
-    if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES, NULL) < 0)
+    if (networkAddFirewallRules(def, backend, NULL) < 0)
         return -1;
 
     actual = actualargv = virBufferContentAndReset(&buf);
@@ -119,6 +127,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
 struct testInfo {
     const char *name;
     const char *baseargs;
+    virFirewallBackend backend;
 };
 
 
@@ -132,10 +141,11 @@ testCompareXMLToIPTablesHelper(const void *data)
 
     xml = g_strdup_printf("%s/networkxml2firewalldata/%s.xml",
                           abs_srcdir, info->name);
-    args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.args",
-                           abs_srcdir, info->name, RULESTYPE);
+    args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.%s",
+                           abs_srcdir, info->name, RULESTYPE,
+                           virFirewallBackendTypeToString(info->backend));
 
-    result = testCompareXMLToArgvFiles(xml, args, info->baseargs);
+    result = testCompareXMLToArgvFiles(xml, args, info->baseargs, info->backend);
 
     return result;
 }
@@ -145,24 +155,42 @@ static int
 mymain(void)
 {
     int ret = 0;
-    g_autofree char *basefile = NULL;
-    g_autofree char *baseargs = NULL;
+    g_autofree char *basefileIptables = NULL;
+    g_autofree char *basefileNftables = NULL;
+    g_autofree char *baseargsIptables = NULL;
+    g_autofree char *baseargsNftables = NULL;
+    const char *baseargs[VIR_FIREWALL_BACKEND_LAST];
 
-# define DO_TEST(name) \
+# define DO_TEST_FOR_BACKEND(name, backend) \
     do { \
         struct testInfo info = { \
-            name, baseargs, \
+            name, baseargs[backend], backend \
         }; \
-        if (virTestRun("Network XML-2-iptables " name, \
-                       testCompareXMLToIPTablesHelper, &info) < 0) \
+        g_autofree char *label = g_strdup_printf("Network XML-2-%s %s", \
+                                                 virFirewallBackendTypeToString(backend),
\
+                                                 name); \
+        if (virTestRun(label, testCompareXMLToIPTablesHelper, &info) < 0) \
             ret = -1; \
     } while (0)
 
-    basefile = g_strdup_printf("%s/networkxml2firewalldata/base.args",
abs_srcdir);
+# define DO_TEST(name) \
+    DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_IPTABLES); \
+    DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_NFTABLES);
 
-    if (virFileReadAll(basefile, INT_MAX, &baseargs) < 0)
+
+    basefileIptables =
g_strdup_printf("%s/networkxml2firewalldata/base.iptables", abs_srcdir);
+    if (virFileReadAll(basefileIptables, INT_MAX, &baseargsIptables) < 0)
         return EXIT_FAILURE;
 
+    baseargs[VIR_FIREWALL_BACKEND_IPTABLES] = baseargsIptables;
+
+    basefileNftables =
g_strdup_printf("%s/networkxml2firewalldata/base.nftables", abs_srcdir);
+    if (virFileReadAll(basefileNftables, INT_MAX, &baseargsNftables) < 0)
+        return EXIT_FAILURE;
+
+    baseargs[VIR_FIREWALL_BACKEND_NFTABLES] = baseargsNftables;
+
+
     DO_TEST("nat-default");
     DO_TEST("nat-tftp");
     DO_TEST("nat-many-ips");
-- 
2.45.0

    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[PATCH v5 25/30] tests: test cases for nftables backend