3:14 p.m.
This patch adds data for a test case for the comment attribute in the
nwfilter XML.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
---
scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall | 71
+++++++++++++++
scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml | 68
++++++++++++++
2 files changed, 139 insertions(+)
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml
@@ -0,0 +1,68 @@
+<filter name='tck-testcase'>
+ <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
+
+ <rule action='accept' direction='in'>
+ <mac protocolid='0x1234' comment='mac rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ srcipaddr='10.1.2.3' srcipmask='255.255.255.255'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ protocol='udp'
+ srcportstart='0x123' srcportend='0x234'
+ dstportstart='0x3456' dstportend='0x4567'
+ dscp='0x32' comment='ip rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80'
+ srcipaddr='::10.1.2.3' srcipmask='22'
+ dstipaddr='::10.1.2.3'
+ dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000'
+ protocol='tcp'
+ srcportstart='0x111' srcportend='400'
+ dstportstart='0x3333' dstportend='65535' comment='ipv6
rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ hwtype='0x12'
+ protocoltype='0x56'
+ opcode='Request'
+ arpsrcmacaddr='1:2:3:4:5:6'
+ arpdstmacaddr='a:b:c:d:e:f'
+ comment='arp rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <udp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='0x22'
+ srcportstart='0x123' srcportend='400'
+ dstportstart='0x234' dstportend='0x444'
+ comment='udp rule'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='0x40'
+ srcportstart='0x20' srcportend='0x21'
+ dstportstart='0x100' dstportend='0x1111'
+ comment='tcp/ipv6 rule'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <udp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='0x40'
+ srcportstart='0x20' srcportend='0x21'
+ dstportstart='0x100' dstportend='0x1111'
+ comment='`ls`;${COLUMNS};$(ls);"test";&'/>
+ </rule>
+
+</filter>
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
@@ -0,0 +1,71 @@
+#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep
-v "^$"
+-i vnet0 -j libvirt-I-vnet0
+#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep
-v "^$"
+-o vnet0 -j libvirt-O-vnet0
+#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v
"^$"
+-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst
10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport
13398:17767 -j ACCEPT
+-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d
aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst
::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp
--ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT
+-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype
18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f
-j ACCEPT
+#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v
"^$"
+-p 0x1234 -j ACCEPT
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
dpts:564:1092 state NEW,ESTABLISHED
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
dpts:564:1092
+#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
+#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet0
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out
vnet0
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN tcp ::/0 a:b:c::/128 /*
tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED
+RETURN udp ::/0 a:b:c::/128 /*
`ls`;${COLUMNS};$(ls);"test";& */ udp spts:256:4369 dpts:32:33 state
ESTABLISHED
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT tcp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state
NEW,ESTABLISHED
+ACCEPT udp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 /* `ls`;${COLUMNS};$(ls);"test";& */ udp spts:32:33
dpts:256:4369 state NEW,ESTABLISHED
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT tcp ::/0 a:b:c::/128 /*
tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33
+ACCEPT udp ::/0 a:b:c::/128 /*
`ls`;${COLUMNS};$(ls);"test";& */ udp spts:256:4369 dpts:32:33
+#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
+#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
+#ip6tables -L libvirt-in-post -n | grep vnet0
+ACCEPT all ::/0 ::/0 PHYSDEV
match --physdev-in vnet0
+#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0
+#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
+#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet0
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out
vnet0
+#ip6tables -L INPUT -n --line-numbers | grep libvirt
+1 libvirt-host-in all ::/0 ::/0
+#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
+#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
+#ip6tables -L libvirt-in-post -n | grep vnet0
+ACCEPT all ::/0 ::/0 PHYSDEV
match --physdev-in vnet0
+#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0
5174
days inactive
5174
days old
0 comments
1 participants
participants (1)
-
Stefan Berger