[libvirt] [TCK] [PATCH] follow reordering of match extensions relative to state match
This patch adjusts the tck test cases following the reordering of the match extensions relative to the state match in libvirt. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> --- scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall | 30 +++++++-------- scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall | 14 +++---- 2 files changed, 22 insertions(+), 22 deletions(-) Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall @@ -11,15 +11,15 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY/* udp rule */ #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED ctdir ORIGINAL/* udp rule */ #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY/* udp rule */ #iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " " @@ -31,24 +31,24 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got #ip6tables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL -RETURN udp ::/0 ::/0 /* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED ctdir ORIGINAL -RETURN sctp ::/0 ::/0 /* comment with lone ', `, ", `, \, $x, and two spaces */ state ESTABLISHED ctdir ORIGINAL -RETURN ah ::/0 ::/0 /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED ctdir ORIGINAL +RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL/* tcp/ipv6 rule */ +RETURN udp ::/0 ::/0 state ESTABLISHED ctdir ORIGINAL/* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ +RETURN sctp ::/0 ::/0 state ESTABLISHED ctdir ORIGINAL/* comment with lone ', `, ", `, \, $x, and two spaces */ +RETURN ah ::/0 ::/0 state ESTABLISHED ctdir ORIGINAL/* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ #ip6tables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY -ACCEPT udp ::/0 ::/0 /* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state NEW,ESTABLISHED ctdir REPLY -ACCEPT sctp ::/0 ::/0 /* comment with lone ', `, ", `, \, $x, and two spaces */ state NEW,ESTABLISHED ctdir REPLY -ACCEPT ah ::/0 ::/0 /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state NEW,ESTABLISHED ctdir REPLY +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY/* tcp/ipv6 rule */ +ACCEPT udp ::/0 ::/0 state NEW,ESTABLISHED ctdir REPLY/* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ +ACCEPT sctp ::/0 ::/0 state NEW,ESTABLISHED ctdir REPLY/* comment with lone ', `, ", `, \, $x, and two spaces */ +ACCEPT ah ::/0 ::/0 state NEW,ESTABLISHED ctdir REPLY/* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ #ip6tables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -RETURN tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL -RETURN udp ::/0 ::/0 /* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED ctdir ORIGINAL -RETURN sctp ::/0 ::/0 /* comment with lone ', `, ", `, \, $x, and two spaces */ state ESTABLISHED ctdir ORIGINAL -RETURN ah ::/0 ::/0 /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED ctdir ORIGINAL +RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL/* tcp/ipv6 rule */ +RETURN udp ::/0 ::/0 state ESTABLISHED ctdir ORIGINAL/* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ +RETURN sctp ::/0 ::/0 state ESTABLISHED ctdir ORIGINAL/* comment with lone ', `, ", `, \, $x, and two spaces */ +RETURN ah ::/0 ::/0 state ESTABLISHED ctdir ORIGINAL/* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 #ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-2.fwall @@ -1,20 +1,20 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* out: existing and related (ftp) connections */ state RELATED,ESTABLISHED -RETURN udp -- 0.0.0.0/0 0.0.0.0/0 /* out: DNS lookups */ udp dpt:53 state NEW +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* out: existing and related (ftp) connections */ +RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW /* out: DNS lookups */ DROP all -- 0.0.0.0/0 0.0.0.0/0 /* inout: drop all non-accepted traffic */ #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* in: existing connections */ state ESTABLISHED -ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* in: ftp and ssh */ tcp dpts:21:22 state NEW -ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 /* in: icmp */ state NEW +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED /* in: existing connections */ +ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:21:22 state NEW /* in: ftp and ssh */ +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW /* in: icmp */ DROP all -- 0.0.0.0/0 0.0.0.0/0 /* inout: drop all non-accepted traffic */ #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* out: existing and related (ftp) connections */ state RELATED,ESTABLISHED -RETURN udp -- 0.0.0.0/0 0.0.0.0/0 /* out: DNS lookups */ udp dpt:53 state NEW +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* out: existing and related (ftp) connections */ +RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW /* out: DNS lookups */ DROP all -- 0.0.0.0/0 0.0.0.0/0 /* inout: drop all non-accepted traffic */
On 02/14/2011 08:09 AM, Stefan Berger wrote:
This patch adjusts the tck test cases following the reordering of the match extensions relative to the state match in libvirt.
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
Here, there's a space between 0x22 and udp, after you strip the comment.
dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state
But that space is lost here. Does the libvirt side of the patch need fixing? -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
On 02/14/2011 11:44 AM, Eric Blake wrote:
On 02/14/2011 08:09 AM, Stefan Berger wrote:
This patch adjusts the tck test cases following the reordering of the match extensions relative to the state match in libvirt.
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 Here, there's a space between 0x22 and udp, after you strip the comment.
This is all iptables output and seems to be a problem of iptables sometimes omitting spaces. It looks like a comment rule automatically adds a space after it ...
dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state But that space is lost here. Does the libvirt side of the patch need fixing?
... while the DSCP match 0x22 forgets to add a space. This is not a libvirt problem. Stefan
On 02/14/2011 02:09 PM, Stefan Berger wrote:
On 02/14/2011 11:44 AM, Eric Blake wrote:
On 02/14/2011 08:09 AM, Stefan Berger wrote:
This patch adjusts the tck test cases following the reordering of the match extensions relative to the state match in libvirt.
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 Here, there's a space between 0x22 and udp, after you strip the comment.
This is all iptables output and seems to be a problem of iptables sometimes omitting spaces. It looks like a comment rule automatically adds a space after it ...
dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state But that space is lost here. Does the libvirt side of the patch need fixing?
... while the DSCP match 0x22 forgets to add a space. This is not a libvirt problem.
Stefan
ACK? Stefan
On 02/18/2011 08:04 AM, Stefan Berger wrote:
On 02/14/2011 02:09 PM, Stefan Berger wrote:
On 02/14/2011 11:44 AM, Eric Blake wrote:
On 02/14/2011 08:09 AM, Stefan Berger wrote:
This patch adjusts the tck test cases following the reordering of the match extensions relative to the state match in libvirt.
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 Here, there's a space between 0x22 and udp, after you strip the comment.
This is all iptables output and seems to be a problem of iptables sometimes omitting spaces. It looks like a comment rule automatically adds a space after it ...
dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state But that space is lost here. Does the libvirt side of the patch need fixing?
... while the DSCP match 0x22 forgets to add a space. This is not a libvirt problem.
Stefan
ACK?
Yes; it matches the latest libvirt release, and as you say, the output issues is an iptables bug (have you reported it there?). ACK. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
On 02/18/2011 10:12 AM, Eric Blake wrote:
On 02/18/2011 08:04 AM, Stefan Berger wrote:
On 02/14/2011 02:09 PM, Stefan Berger wrote:
On 02/14/2011 11:44 AM, Eric Blake wrote:
On 02/14/2011 08:09 AM, Stefan Berger wrote:
This patch adjusts the tck test cases following the reordering of the match extensions relative to the state match in libvirt.
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 Here, there's a space between 0x22 and udp, after you strip the comment.
This is all iptables output and seems to be a problem of iptables sometimes omitting spaces. It looks like a comment rule automatically adds a space after it ...
dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state But that space is lost here. Does the libvirt side of the patch need fixing?
... while the DSCP match 0x22 forgets to add a space. This is not a libvirt problem.
Stefan
ACK? Yes; it matches the latest libvirt release, and as you say, the output issues is an iptables bug (have you reported it there?). ACK.
I'll push and file a bugzilla with iptables. Stefan
participants (2)
-
Eric Blake -
Stefan Berger