I am resending the patch with 'evolution' and hope no patch-mangling
occurs. At least it looks ok before sending (also sending patch as an
attachment)
Recent changes to how filters are being instantiated require follow-up
changes to the test suite. The following changes are related to
- usage of 'ctdir'
- changes to the host's incoming filter chain
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
---
scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall | 10 +++++-----
scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall | 2 +-
scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall | 4 ++--
scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall | 2 +-
scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall | 2 +-
scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall | 2 +-
scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall | 4 ++--
scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall | 4 ++--
scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall | 6 +++---
24 files changed, 63 insertions(+), 63 deletions(-)
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN ah ::/0 a:b:c::/128 DSCP match 0x21state
ESTABLISHED
-RETURN ah ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED
+RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN ah ::/0 a:b:c::/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN ah ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT ah a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state
ESTABLISHED
-ACCEPT ah a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
-ACCEPT ah ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
+ACCEPT ah a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT ah a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT ah ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT ah ::/0 a:b:c::/128 DSCP match 0x21
-ACCEPT ah ::/0 ::10.1.2.3/128 DSCP match 0x21
+RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN ah ::/0 a:b:c::/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN ah ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED
-RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED
+RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT ah -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
-ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
-ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
+ACCEPT ah -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
-ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN all ::/0 a:b:c::/128 DSCP match 0x21state
ESTABLISHED
-RETURN all ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED
+RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN all ::/0 a:b:c::/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN all ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT all a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state
ESTABLISHED
-ACCEPT all a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
-ACCEPT all ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
+ACCEPT all a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT all a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT all ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT all ::/0 a:b:c::/128 DSCP match 0x21
-ACCEPT all ::/0 ::10.1.2.3/128 DSCP match 0x21
+RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN all ::/0 a:b:c::/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN all ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED
-RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED
+RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
-ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
-ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
+ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
-ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
@@ -11,15 +11,15 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22/* udp rule
*/ udp spts:564:1092 dpts:291:400 state ESTABLISHED
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22/* udp rule
*/ udp spts:564:1092 dpts:291:400 state ESTABLISHED ctdir ORIGINAL
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " "
@@ -31,24 +31,24 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp
spts:256:4369 dpts:32:33 state ESTABLISHED
-RETURN udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED
-RETURN sctp ::/0 ::/0 /* comment with lone ',
`, ", `, \\, $x, and two spaces */ state ESTABLISHED
-RETURN ah ::/0 ::/0 /* tmp=`mktemp`; echo
${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED
+RETURN tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp
spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
+RETURN udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED
ctdir ORIGINAL
+RETURN sctp ::/0 ::/0 /* comment with lone ',
`, ", `, \\, $x, and two spaces */ state ESTABLISHED ctdir ORIGINAL
+RETURN ah ::/0 ::/0 /* tmp=`mktemp`; echo
${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 /*
tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED
-ACCEPT udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state NEW,ESTABLISHED
-ACCEPT sctp ::/0 ::/0 /* comment with lone ',
`, ", `, \\, $x, and two spaces */ state NEW,ESTABLISHED
-ACCEPT ah ::/0 ::/0 /* tmp=`mktemp`; echo
${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state NEW,ESTABLISHED
+ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 /*
tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state NEW,ESTABLISHED
ctdir REPLY
+ACCEPT sctp ::/0 ::/0 /* comment with lone ',
`, ", `, \\, $x, and two spaces */ state NEW,ESTABLISHED ctdir REPLY
+ACCEPT ah ::/0 ::/0 /* tmp=`mktemp`; echo
${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state NEW,ESTABLISHED ctdir
REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp
spts:256:4369 dpts:32:33
-ACCEPT udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */
-ACCEPT sctp ::/0 ::/0 /* comment with lone ',
`, ", `, \\, $x, and two spaces */
-ACCEPT ah ::/0 ::/0 /* tmp=`mktemp`; echo
${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
+RETURN tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp
spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
+RETURN udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED
ctdir ORIGINAL
+RETURN sctp ::/0 ::/0 /* comment with lone ',
`, ", `, \\, $x, and two spaces */ state ESTABLISHED ctdir ORIGINAL
+RETURN ah ::/0 ::/0 /* tmp=`mktemp`; echo
${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED ctdir ORIGINAL
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
@@ -1,22 +1,22 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
-RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
-RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
+RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
ctdir ORIGINAL
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir
ORIGINAL
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir
ORIGINAL
DROP all -- 0.0.0.0/0 0.0.0.0/0
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state
NEW,ESTABLISHED
-ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
-ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
+ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state
NEW,ESTABLISHED ctdir REPLY
+ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir
REPLY
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir
REPLY
DROP all -- 0.0.0.0/0 0.0.0.0/0
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22
-ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
-ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
ctdir ORIGINAL
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir
ORIGINAL
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir
ORIGINAL
DROP all -- 0.0.0.0/0 0.0.0.0/0
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall
@@ -11,7 +11,7 @@ DROP icmp -- 0.0.0.0/0
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 state
NEW,ESTABLISHED
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall
@@ -11,7 +11,7 @@ DROP icmp -- 0.0.0.0/0
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 state
NEW,ESTABLISHED
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall
@@ -1,17 +1,17 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir
REPLY
DROP all -- 0.0.0.0/0 0.0.0.0/0
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
+ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir
ORIGINAL
DROP all -- 0.0.0.0/0 0.0.0.0/0
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir
REPLY
DROP all -- 0.0.0.0/0 0.0.0.0/0
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
@@ -2,17 +2,17 @@
Chain FI-vnet0 (1 references)
target prot opt source destination
RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02icmp type 12 code 11 state NEW,ESTABLISHED
-RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED
+RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21icmp type 255 code 255 state NEW,ESTABLISHED
-ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
+ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02icmp type 12 code 11
-ACCEPT icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02icmp type 12 code 11 state NEW,ESTABLISHED
+RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
@@ -2,17 +2,17 @@
Chain FI-vnet0 (1 references)
target prot opt source destination
RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED
-RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED
+RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
ACCEPT icmpv6 a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21ipv6-icmp type 255 code 255 state NEW,ESTABLISHED
-ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
+ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02ipv6-icmp type 12 code 11
-ACCEPT icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21
+RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED
+RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED
-RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED
+RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT 2 -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
-ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
-ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
+ACCEPT 2 -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
-ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp
spts:100:1111 dpts:20:21 state ESTABLISHED
-RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp
spt:65535 dpts:255:256 state ESTABLISHED
+RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp
spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state
ESTABLISHED
-ACCEPT sctp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED
-ACCEPT sctp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED
+ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT sctp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT sctp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT sctp ::/0 a:b:c::/128 DSCP match 0x21sctp
spts:100:1111 dpts:20:21
-ACCEPT sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp
spt:65535 dpts:255:256
+RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp
spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp
spts:100:1111 dpts:20:21 state ESTABLISHED
-RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp
spt:65535 dpts:255:256 state ESTABLISHED
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp
spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
-ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED
-ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED
+ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp
spts:100:1111 dpts:20:21
-ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp
spt:65535 dpts:255:256
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp
spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp
spts:100:1111 dpts:20:21
RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535
dpts:255:256
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21tcp spts:20:21 dpts:100:1111
ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x3ftcp spts:255:256 dpt:65535
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp
spts:100:1111 dpts:20:21
-ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535
dpts:255:256
+RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp
spts:100:1111 dpts:20:21
+RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535
dpts:255:256
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN tcp ::/0 a:b:c::/128 DSCP match 0x21tcp
spts:100:1111 dpts:20:21 state ESTABLISHED
-RETURN tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535
dpts:255:256 state ESTABLISHED
+RETURN tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN tcp ::/0 a:b:c::/128 DSCP match 0x21tcp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535
dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state
ESTABLISHED
-ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21tcp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED
-ACCEPT tcp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x3ftcp spts:255:256 dpt:65535 state NEW,ESTABLISHED
+ACCEPT tcp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21tcp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT tcp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x3ftcp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT tcp ::/0 a:b:c::/128 DSCP match 0x21tcp
spts:100:1111 dpts:20:21
-ACCEPT tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535
dpts:255:256
+RETURN tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN tcp ::/0 a:b:c::/128 DSCP match 0x21tcp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535
dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN udp ::/0 ::/0 DSCP match 0x21udp
spts:100:1111 dpts:20:21 state ESTABLISHED
-RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535
dpts:255:256 state ESTABLISHED
+RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udp ::/0 ::/0 DSCP match 0x21udp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535
dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state
ESTABLISHED
-ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED
-ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED
+ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT udp ::/0 ::/0 DSCP match 0x21udp
spts:100:1111 dpts:20:21
-ACCEPT udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535
dpts:255:256
+RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udp ::/0 ::/0 DSCP match 0x21udp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535
dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp
spts:100:1111 dpts:20:21 state ESTABLISHED
-RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535
dpts:255:256 state ESTABLISHED
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535
dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
-ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED
-ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp
spts:100:1111 dpts:20:21
-ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535
dpts:255:256
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp
spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535
dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
@@ -3,17 +3,17 @@ Chain FI-vnet0 (1 references)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2
-RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir
REPLY
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir
ORIGINAL
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2
-ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir
REPLY
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN esp ::/0 a:b:c::/128 DSCP match 0x21state
ESTABLISHED
-RETURN esp ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED
+RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN esp ::/0 a:b:c::/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN esp ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT esp a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state
ESTABLISHED
-ACCEPT esp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
-ACCEPT esp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
+ACCEPT esp a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT esp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT esp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT esp ::/0 a:b:c::/128 DSCP match 0x21
-ACCEPT esp ::/0 ::10.1.2.3/128 DSCP match 0x21
+RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN esp ::/0 a:b:c::/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN esp ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 |tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED
-RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED
+RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT esp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
-ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
-ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
+ACCEPT esp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
-ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN udplite ::/0 a:b:c::/128 DSCP match 0x21state
ESTABLISHED
-RETURN udplite ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED
+RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udplite ::/0 a:b:c::/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN udplite ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT udplite a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state
ESTABLISHED
-ACCEPT udplite a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
-ACCEPT udplite ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
+ACCEPT udplite a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT udplite a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT udplite ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT udplite ::/0 a:b:c::/128 DSCP match 0x21
-ACCEPT udplite ::/0 ::10.1.2.3/128 DSCP match 0x21
+RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udplite ::/0 a:b:c::/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN udplite ::/0 ::10.1.2.3/128 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
-RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED
-RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED
+RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT udplite-- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
-ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
-ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED
+ACCEPT udplite-- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED ctdir ORIGINAL
+ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
-ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
-ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
+RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state
ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
@@ -11,15 +11,15 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22udp
spts:564:1092 dpts:291:400 state ESTABLISHED
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22udp
spts:564:1092 dpts:291:400 state ESTABLISHED ctdir ORIGINAL
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x22udp spts:291:400 dpts:564:1092
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " "
@@ -31,15 +31,15 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33
state ESTABLISHED
+RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33
state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 tcp
spts:32:33 dpts:256:4369 state NEW,ESTABLISHED
+ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 tcp
spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33
+RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33
state ESTABLISHED ctdir ORIGINAL
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "