9:09 a.m.
This patch adjusts the tck test cases following the reordering of the
match extensions relative to the state match in libvirt.
Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
---
scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall | 30
+++++++--------
scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall | 14 +++----
2 files changed, 22 insertions(+), 22 deletions(-)
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
@@ -11,15 +11,15 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state
NEW,ESTABLISHED ctdir REPLY/* udp rule */
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED
ctdir ORIGINAL
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED ctdir ORIGINAL/*
udp rule */
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state
NEW,ESTABLISHED ctdir REPLY/* udp rule */
#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " "
@@ -31,24 +31,24 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp ::/0 a:b:c::/128 /*
tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir
ORIGINAL
-RETURN udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED
ctdir
ORIGINAL
-RETURN sctp ::/0 ::/0 /* comment
with lone ', `, ", `, \, $x, and two spaces */ state ESTABLISHED ctdir
ORIGINAL
-RETURN ah ::/0 ::/0 /*
tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
state ESTABLISHED ctdir ORIGINAL
+RETURN tcp ::/0 a:b:c::/128 tcp
spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL/* tcp/ipv6
rule */
+RETURN udp ::/0 ::/0 state
ESTABLISHED ctdir ORIGINAL/* `ls`;${COLUMNS};$(ls);"test";&'3
spaces' */
+RETURN sctp ::/0 ::/0 state
ESTABLISHED ctdir ORIGINAL/* comment with lone ', `, ", `, \, $x, and
two spaces */
+RETURN ah ::/0 ::/0 state
ESTABLISHED ctdir ORIGINAL/* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat
< ${tmp}; rm -f ${tmp} */
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state
NEW,ESTABLISHED ctdir REPLY
-ACCEPT udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state NEW,ESTABLISHED
ctdir REPLY
-ACCEPT sctp ::/0 ::/0 /* comment
with lone ', `, ", `, \, $x, and two spaces */ state NEW,ESTABLISHED
ctdir REPLY
-ACCEPT ah ::/0 ::/0 /*
tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
state NEW,ESTABLISHED ctdir REPLY
+ACCEPT tcp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED
ctdir REPLY/* tcp/ipv6 rule */
+ACCEPT udp ::/0 ::/0 state
NEW,ESTABLISHED ctdir REPLY/* `ls`;${COLUMNS};$(ls);"test";&'3
spaces' */
+ACCEPT sctp ::/0 ::/0 state
NEW,ESTABLISHED ctdir REPLY/* comment with lone ', `, ", `, \, $x, and
two spaces */
+ACCEPT ah ::/0 ::/0 state
NEW,ESTABLISHED ctdir REPLY/* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ;
cat < ${tmp}; rm -f ${tmp} */
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp ::/0 a:b:c::/128 /*
tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir
ORIGINAL
-RETURN udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED
ctdir
ORIGINAL
-RETURN sctp ::/0 ::/0 /* comment
with lone ', `, ", `, \, $x, and two spaces */ state ESTABLISHED ctdir
ORIGINAL
-RETURN ah ::/0 ::/0 /*
tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
state ESTABLISHED ctdir ORIGINAL
+RETURN tcp ::/0 a:b:c::/128 tcp
spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL/* tcp/ipv6
rule */
+RETURN udp ::/0 ::/0 state
ESTABLISHED ctdir ORIGINAL/* `ls`;${COLUMNS};$(ls);"test";&'3
spaces' */
+RETURN sctp ::/0 ::/0 state
ESTABLISHED ctdir ORIGINAL/* comment with lone ', `, ", `, \, $x, and
two spaces */
+RETURN ah ::/0 ::/0 state
ESTABLISHED ctdir ORIGINAL/* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat
< ${tmp}; rm -f ${tmp} */
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall
@@ -1,20 +1,20 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* out:
existing and related (ftp) connections */ state RELATED,ESTABLISHED
-RETURN udp -- 0.0.0.0/0 0.0.0.0/0 /* out:
DNS lookups */ udp dpt:53 state NEW
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED /* out: existing and related (ftp) connections */
+RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
state NEW /* out: DNS lookups */
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* inout:
drop all non-accepted traffic */
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* in:
existing connections */ state ESTABLISHED
-ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* in: ftp
and ssh */ tcp dpts:21:22 state NEW
-ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 /* in:
icmp */ state NEW
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED /* in: existing connections */
+ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:21:22 state NEW /* in: ftp and ssh */
+ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW
/* in: icmp */
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* inout:
drop all non-accepted traffic */
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* out:
existing and related (ftp) connections */ state RELATED,ESTABLISHED
-RETURN udp -- 0.0.0.0/0 0.0.0.0/0 /* out:
DNS lookups */ udp dpt:53 state NEW
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED /* out: existing and related (ftp) connections */
+RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
state NEW /* out: DNS lookups */
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* inout:
drop all non-accepted traffic */
10:44 a.m.
On 02/14/2011 08:09 AM, Stefan Berger wrote:
This patch adjusts the tck test cases following the reordering of
the
match extensions relative to the state match in libvirt.
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
Here, there's a space between 0x22 and udp, after you strip the comment.
dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state
But that space is lost here. Does the libvirt side of the patch need
fixing?
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
1:09 p.m.
On 02/14/2011 11:44 AM, Eric Blake wrote:
On 02/14/2011 08:09 AM, Stefan Berger wrote:
> This patch adjusts the tck test cases following the reordering of the
> match extensions relative to the state match in libvirt.
>
> -RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
> 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
Here, there's a space between 0x22 and udp, after you strip the comment.
This is all iptables output and seems to be a problem of iptables
sometimes omitting spaces. It looks like a comment rule automatically
adds a space after it ...
> dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
> +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
> 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state
But that space is lost here. Does the libvirt side of the patch need
fixing?
... while the DSCP match 0x22 forgets to add a space. This is not a
libvirt problem.
Stefan
9:04 a.m.
On 02/14/2011 02:09 PM, Stefan Berger wrote:
On 02/14/2011 11:44 AM, Eric Blake wrote:
> On 02/14/2011 08:09 AM, Stefan Berger wrote:
>> This patch adjusts the tck test cases following the reordering of the
>> match extensions relative to the state match in libvirt.
>>
>> -RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
>> 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
> Here, there's a space between 0x22 and udp, after you strip the comment.
>
This is all iptables output and seems to be a problem of iptables
sometimes omitting spaces. It looks like a comment rule automatically
adds a space after it ...
>> dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
>> +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
>> 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state
> But that space is lost here. Does the libvirt side of the patch need
> fixing?
>
... while the DSCP match 0x22 forgets to add a space. This is not a
libvirt problem.
Stefan
ACK?
Stefan
9:12 a.m.
On 02/18/2011 08:04 AM, Stefan Berger wrote:
On 02/14/2011 02:09 PM, Stefan Berger wrote:
> On 02/14/2011 11:44 AM, Eric Blake wrote:
>> On 02/14/2011 08:09 AM, Stefan Berger wrote:
>>> This patch adjusts the tck test cases following the reordering of the
>>> match extensions relative to the state match in libvirt.
>>>
>>> -RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
>>> 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
>> Here, there's a space between 0x22 and udp, after you strip the comment.
>>
> This is all iptables output and seems to be a problem of iptables
> sometimes omitting spaces. It looks like a comment rule automatically
> adds a space after it ...
>>> dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
>>> +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
>>> 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state
>> But that space is lost here. Does the libvirt side of the patch need
>> fixing?
>>
> ... while the DSCP match 0x22 forgets to add a space. This is not a
> libvirt problem.
>
> Stefan
>
ACK?
Yes; it matches the latest libvirt release, and as you say, the output
issues is an iptables bug (have you reported it there?). ACK.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
11:31 a.m.
On 02/18/2011 10:12 AM, Eric Blake wrote:
On 02/18/2011 08:04 AM, Stefan Berger wrote:
> On 02/14/2011 02:09 PM, Stefan Berger wrote:
>> On 02/14/2011 11:44 AM, Eric Blake wrote:
>>> On 02/14/2011 08:09 AM, Stefan Berger wrote:
>>>> This patch adjusts the tck test cases following the reordering of the
>>>> match extensions relative to the state match in libvirt.
>>>>
>>>> -RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
>>>> 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
>>> Here, there's a space between 0x22 and udp, after you strip the comment.
>>>
>> This is all iptables output and seems to be a problem of iptables
>> sometimes omitting spaces. It looks like a comment rule automatically
>> adds a space after it ...
>>>> dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
>>>> +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
>>>> 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state
>>> But that space is lost here. Does the libvirt side of the patch need
>>> fixing?
>>>
>> ... while the DSCP match 0x22 forgets to add a space. This is not a
>> libvirt problem.
>>
>> Stefan
>>
> ACK?
Yes; it matches the latest libvirt release, and as you say, the output
issues is an iptables bug (have you reported it there?). ACK.
I'll push and file a bugzilla with iptables.
Stefan
5026
days inactive
5030
days old
5 comments
2 participants
participants (2)
-
Eric Blake -
Stefan Berger