7:38 p.m.
Follow the changes to the clean-traffic filter to pass the nwfilter tests.
---
scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat | 33 +++++++----------
1 file changed, 15 insertions(+), 18 deletions(-)
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat
@@ -3,34 +3,31 @@
#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v
"^$"
-o vnet0 -j libvirt-O-vnet0
#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v
"^$"
--p IPv4 -j I-vnet0-ipv4
--p ARP -j I-vnet0-arp
+-j I-vnet0-mac
+-p IPv4 -j I-vnet0-ipv4-ip
+-p IPv4 -j ACCEPT
+-p ARP -j I-vnet0-arp-mac
+-p ARP -j I-vnet0-arp-ip
+-p ARP -j ACCEPT
-p 0x8035 -j I-vnet0-rarp
-p 0x835 -j ACCEPT
-j DROP
#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v
"^$"
-p IPv4 -j O-vnet0-ipv4
--p ARP -j O-vnet0-arp
+-p ARP -j ACCEPT
-p 0x8035 -j O-vnet0-rarp
-j DROP
-#ebtables -t nat -L I-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$"
--s ! 52:54:0:9f:33:da -j DROP
--p IPv4 --ip-src ! 10.1.1.1 -j DROP
+#ebtables -t nat -L I-vnet0-ipv4-ip | grep -v "^Bridge" | grep -v
"^$"
+-p IPv4 --ip-src 0.0.0.0 --ip-proto udp --ip-sport 68 -j ACCEPT
+-p IPv4 --ip-src 10.1.1.1 -j RETURN
+-j DROP
#ebtables -t nat -L O-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$"
-j ACCEPT
-#ebtables -t nat -L I-vnet0-arp | grep -v "^Bridge" | grep -v "^$"
--s ! 52:54:0:9f:33:da -j DROP
--p ARP --arp-mac-src ! 52:54:0:9f:33:da -j DROP
--p ARP --arp-ip-src ! 10.1.1.1 -j DROP
--p ARP --arp-op Request -j ACCEPT
--p ARP --arp-op Reply -j ACCEPT
+#ebtables -t nat -L I-vnet0-arp-mac | grep -v "^Bridge" | grep -v
"^$"
+-p ARP --arp-mac-src 52:54:0:9f:33:da -j RETURN
-j DROP
-#ebtables -t nat -L O-vnet0-arp | grep -v "^Bridge" | grep -v "^$"
--p ARP --arp-gratuitous -j ACCEPT
--p ARP --arp-op Reply --arp-mac-dst ! 52:54:0:9f:33:da -j DROP
--p ARP --arp-ip-dst ! 10.1.1.1 -j DROP
--p ARP --arp-op Request -j ACCEPT
--p ARP --arp-op Reply -j ACCEPT
+#ebtables -t nat -L I-vnet0-arp-ip | grep -v "^Bridge" | grep -v
"^$"
+-p ARP --arp-ip-src 10.1.1.1 -j RETURN
-j DROP
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
11:10 a.m.
On 12/01/2011 06:38 PM, Stefan Berger wrote:
Follow the changes to the clean-traffic filter to pass the nwfilter
tests.
---
scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat | 33 +++++++----------
1 file changed, 15 insertions(+), 18 deletions(-)
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat
@@ -3,34 +3,31 @@
#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v
"^$"
-o vnet0 -j libvirt-O-vnet0
#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v
"^$"
--p IPv4 -j I-vnet0-ipv4
--p ARP -j I-vnet0-arp
+-j I-vnet0-mac
+-p IPv4 -j I-vnet0-ipv4-ip
+-p IPv4 -j ACCEPT
+-p ARP -j I-vnet0-arp-mac
+-p ARP -j I-vnet0-arp-ip
+-p ARP -j ACCEPT
ACK.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
1:15 p.m.
On 12/02/2011 12:10 PM, Eric Blake wrote:
On 12/01/2011 06:38 PM, Stefan Berger wrote:
> Follow the changes to the clean-traffic filter to pass the nwfilter tests.
>
> ---
> scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat | 33 +++++++----------
> 1 file changed, 15 insertions(+), 18 deletions(-)
>
> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat
> ===================================================================
> --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat
> +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat
> @@ -3,34 +3,31 @@
> #ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep
-v "^$"
> -o vnet0 -j libvirt-O-vnet0
> #ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v
"^$"
> --p IPv4 -j I-vnet0-ipv4
> --p ARP -j I-vnet0-arp
> +-j I-vnet0-mac
> +-p IPv4 -j I-vnet0-ipv4-ip
> +-p IPv4 -j ACCEPT
> +-p ARP -j I-vnet0-arp-mac
> +-p ARP -j I-vnet0-arp-ip
> +-p ARP -j ACCEPT
ACK.
Pushed.
4739
days inactive
4739
days old
2 comments
2 participants
participants (2)
-
Eric Blake -
Stefan Berger