6:58 a.m.
Recent changes to how filters are being instantiated require follow-up
changes to the test suite. The following changes are related to
- usage of 'ctdir'
- changes to the host's incoming filter chain
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
---
scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall |
10 +++++-----
scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall | 2 +-
scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall |
4 ++--
scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall | 2 +-
scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall | 2 +-
scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall | 2 +-
scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall |
4 ++--
scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall |
4 ++--
scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall |
6 +++---
scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall |
6 +++---
24 files changed, 63 insertions(+), 63 deletions(-)
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN ah ::/0 a:b:c::/128 DSCP match
0x21state ESTABLISHED
-RETURN ah ::/0 ::10.1.2.3/128 DSCP match
0x21state ESTABLISHED
+RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN ah ::/0 a:b:c::/128 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN ah ::/0 ::10.1.2.3/128 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT ah a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match
0x02state ESTABLISHED
-ACCEPT ah a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
-ACCEPT ah ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
+ACCEPT ah a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT ah a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT ah ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT ah ::/0 a:b:c::/128 DSCP match
0x21
-ACCEPT ah ::/0 ::10.1.2.3/128 DSCP match
0x21
+RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN ah ::/0 a:b:c::/128 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN ah ::/0 ::10.1.2.3/128 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED
-RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED
+RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT ah -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED
-ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
-ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
+ACCEPT ah -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT ah -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21
-ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21
+RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN all ::/0 a:b:c::/128 DSCP match
0x21state ESTABLISHED
-RETURN all ::/0 ::10.1.2.3/128 DSCP match
0x21state ESTABLISHED
+RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN all ::/0 a:b:c::/128 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN all ::/0 ::10.1.2.3/128 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT all a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match
0x02state ESTABLISHED
-ACCEPT all a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
-ACCEPT all ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
+ACCEPT all a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT all a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT all ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT all ::/0 a:b:c::/128 DSCP match
0x21
-ACCEPT all ::/0 ::10.1.2.3/128 DSCP match
0x21
+RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN all ::/0 a:b:c::/128 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN all ::/0 ::10.1.2.3/128 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED
-RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED
+RETURN all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED
-ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
-ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
+ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21
-ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21
+RETURN all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
@@ -11,15 +11,15 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
dpts:564:1092 state NEW,ESTABLISHED
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED
ctdir ORIGINAL
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
dpts:564:1092
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400
dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " "
@@ -31,24 +31,24 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp ::/0 a:b:c::/128 /*
tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED
-RETURN udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED
-RETURN sctp ::/0 ::/0 /* comment
with lone ', `, ", `, \\, $x, and two spaces */ state ESTABLISHED
-RETURN ah ::/0 ::/0 /*
tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
state ESTABLISHED
+RETURN tcp ::/0 a:b:c::/128 /*
tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir
ORIGINAL
+RETURN udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED
ctdir
ORIGINAL
+RETURN sctp ::/0 ::/0 /* comment
with lone ', `, ", `, \\, $x, and two spaces */ state ESTABLISHED ctdir
ORIGINAL
+RETURN ah ::/0 ::/0 /*
tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state
NEW,ESTABLISHED
-ACCEPT udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state NEW,ESTABLISHED
-ACCEPT sctp ::/0 ::/0 /* comment
with lone ', `, ", `, \\, $x, and two spaces */ state NEW,ESTABLISHED
-ACCEPT ah ::/0 ::/0 /*
tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
state NEW,ESTABLISHED
+ACCEPT tcp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state
NEW,ESTABLISHED ctdir REPLY
+ACCEPT udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state NEW,ESTABLISHED
ctdir REPLY
+ACCEPT sctp ::/0 ::/0 /* comment
with lone ', `, ", `, \\, $x, and two spaces */ state NEW,ESTABLISHED
ctdir REPLY
+ACCEPT ah ::/0 ::/0 /*
tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp ::/0 a:b:c::/128 /*
tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33
-ACCEPT udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */
-ACCEPT sctp ::/0 ::/0 /* comment
with lone ', `, ", `, \\, $x, and two spaces */
-ACCEPT ah ::/0 ::/0 /*
tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
+RETURN tcp ::/0 a:b:c::/128 /*
tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir
ORIGINAL
+RETURN udp ::/0 ::/0 /*
`ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED
ctdir
ORIGINAL
+RETURN sctp ::/0 ::/0 /* comment
with lone ', `, ", `, \\, $x, and two spaces */ state ESTABLISHED ctdir
ORIGINAL
+RETURN ah ::/0 ::/0 /*
tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
state ESTABLISHED ctdir ORIGINAL
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
@@ -1,22 +1,22 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22
state ESTABLISHED
-RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED
-RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED
+RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22
state ESTABLISHED ctdir ORIGINAL
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED ctdir ORIGINAL
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED ctdir ORIGINAL
DROP all -- 0.0.0.0/0 0.0.0.0/0
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
state NEW,ESTABLISHED
-ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED
-ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED
+ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
state NEW,ESTABLISHED ctdir REPLY
+ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED ctdir REPLY
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED ctdir REPLY
DROP all -- 0.0.0.0/0 0.0.0.0/0
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22
-ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
-ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22
state ESTABLISHED ctdir ORIGINAL
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED ctdir ORIGINAL
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED ctdir ORIGINAL
DROP all -- 0.0.0.0/0 0.0.0.0/0
Index:
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall
+++
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall
@@ -11,7 +11,7 @@ DROP icmp -- 0.0.0.0/0
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
8 state NEW,ESTABLISHED
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
Index:
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall
+++
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall
@@ -11,7 +11,7 @@ DROP icmp -- 0.0.0.0/0
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
0 state NEW,ESTABLISHED
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
Index:
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall
+++
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall
@@ -1,17 +1,17 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED ctdir REPLY
DROP all -- 0.0.0.0/0 0.0.0.0/0
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED
+ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED ctdir ORIGINAL
DROP all -- 0.0.0.0/0 0.0.0.0/0
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED ctdir REPLY
DROP all -- 0.0.0.0/0 0.0.0.0/0
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
@@ -2,17 +2,17 @@
Chain FI-vnet0 (1 references)
target prot opt source destination
RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED
-RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED
+RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21icmp type 255 code 255 state
NEW,ESTABLISHED
-ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
+ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT icmp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11
-ACCEPT icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21
+RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED
+RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
@@ -2,17 +2,17 @@
Chain FI-vnet0 (1 references)
target prot opt source destination
RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state
NEW,ESTABLISHED
-RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP
match 0x21state ESTABLISHED
+RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP
match 0x21state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
ACCEPT icmpv6 a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21ipv6-icmp type 255 code 255 state
NEW,ESTABLISHED
-ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
+ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11
-ACCEPT icmpv6 ::/0 ::10.1.2.3/128 DSCP
match 0x21
+RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state
NEW,ESTABLISHED
+RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP
match 0x21state ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED
-RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED
+RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT 2 -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED
-ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
-ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
+ACCEPT 2 -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT 2 -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21
-ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21
+RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index:
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN sctp ::/0 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN sctp ::/0 a:b:c::/128 DSCP match
0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED
-RETURN sctp ::/0 ::10.1.2.3/128 DSCP match
0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED
+RETURN sctp ::/0 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN sctp ::/0 a:b:c::/128 DSCP match
0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN sctp ::/0 ::10.1.2.3/128 DSCP match
0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match
0x02state ESTABLISHED
-ACCEPT sctp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state
NEW,ESTABLISHED
-ACCEPT sctp ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state
NEW,ESTABLISHED
+ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT sctp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state
NEW,ESTABLISHED ctdir REPLY
+ACCEPT sctp ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state
NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT sctp ::/0 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT sctp ::/0 a:b:c::/128 DSCP match
0x21sctp spts:100:1111 dpts:20:21
-ACCEPT sctp ::/0 ::10.1.2.3/128 DSCP match
0x3fsctp spt:65535 dpts:255:256
+RETURN sctp ::/0 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN sctp ::/0 a:b:c::/128 DSCP match
0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN sctp ::/0 ::10.1.2.3/128 DSCP match
0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED
-RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED
-ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state
NEW,ESTABLISHED
-ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state
NEW,ESTABLISHED
+ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state
NEW,ESTABLISHED ctdir REPLY
+ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state
NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x21sctp spts:100:1111 dpts:20:21
-ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x3fsctp spt:65535 dpts:255:256
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
+RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP
match 0x21tcp spts:100:1111 dpts:20:21
RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP
match 0x3ftcp spt:65535 dpts:255:256
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED
+ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL
ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111
ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x21tcp spts:100:1111 dpts:20:21
-ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x3ftcp spt:65535 dpts:255:256
+RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x21tcp spts:100:1111 dpts:20:21
+RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x3ftcp spt:65535 dpts:255:256
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp ::/0 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN tcp ::/0 a:b:c::/128 DSCP match
0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED
-RETURN tcp ::/0 ::10.1.2.3/128 DSCP match
0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED
+RETURN tcp ::/0 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN tcp ::/0 a:b:c::/128 DSCP match
0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN tcp ::/0 ::10.1.2.3/128 DSCP match
0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp a:b:c::d:e:f/128 ::/0 DSCP match
0x02state ESTABLISHED
-ACCEPT tcp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 state
NEW,ESTABLISHED
-ACCEPT tcp ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 state
NEW,ESTABLISHED
+ACCEPT tcp a:b:c::d:e:f/128 ::/0 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT tcp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 state
NEW,ESTABLISHED ctdir REPLY
+ACCEPT tcp ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 state
NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp ::/0 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT tcp ::/0 a:b:c::/128 DSCP match
0x21tcp spts:100:1111 dpts:20:21
-ACCEPT tcp ::/0 ::10.1.2.3/128 DSCP match
0x3ftcp spt:65535 dpts:255:256
+RETURN tcp ::/0 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN tcp ::/0 a:b:c::/128 DSCP match
0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN tcp ::/0 ::10.1.2.3/128 DSCP match
0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN udp ::/0 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN udp ::/0 ::/0 DSCP match
0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED
-RETURN udp ::/0 ::10.1.2.3/128 DSCP match
0x3fudp spt:65535 dpts:255:256 state ESTABLISHED
+RETURN udp ::/0 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udp ::/0 ::/0 DSCP match
0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN udp ::/0 ::10.1.2.3/128 DSCP match
0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match
0x02state ESTABLISHED
-ACCEPT udp ::/0 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state
NEW,ESTABLISHED
-ACCEPT udp ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state
NEW,ESTABLISHED
+ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT udp ::/0 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state
NEW,ESTABLISHED ctdir REPLY
+ACCEPT udp ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state
NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp ::/0 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT udp ::/0 ::/0 DSCP match
0x21udp spts:100:1111 dpts:20:21
-ACCEPT udp ::/0 ::10.1.2.3/128 DSCP match
0x3fudp spt:65535 dpts:255:256
+RETURN udp ::/0 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udp ::/0 ::/0 DSCP match
0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN udp ::/0 ::10.1.2.3/128 DSCP match
0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED
-RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x3fudp spt:65535 dpts:255:256 state ESTABLISHED
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED
-ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state
NEW,ESTABLISHED
-ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state
NEW,ESTABLISHED
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state
NEW,ESTABLISHED ctdir REPLY
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state
NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x21udp spts:100:1111 dpts:20:21
-ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x3fudp spt:65535 dpts:255:256
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match
0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index:
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
@@ -3,17 +3,17 @@ Chain FI-vnet0 (1 references)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2
-RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED ctdir REPLY
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED ctdir ORIGINAL
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2
-ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED ctdir REPLY
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN esp ::/0 a:b:c::/128 DSCP match
0x21state ESTABLISHED
-RETURN esp ::/0 ::10.1.2.3/128 DSCP match
0x21state ESTABLISHED
+RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN esp ::/0 a:b:c::/128 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN esp ::/0 ::10.1.2.3/128 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT esp a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match
0x02state ESTABLISHED
-ACCEPT esp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
-ACCEPT esp ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
+ACCEPT esp a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT esp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT esp ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT esp ::/0 a:b:c::/128 DSCP match
0x21
-ACCEPT esp ::/0 ::10.1.2.3/128 DSCP match
0x21
+RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN esp ::/0 a:b:c::/128 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN esp ::/0 ::10.1.2.3/128 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 |tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED
-RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED
+RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT esp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED
-ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
-ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
+ACCEPT esp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT esp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21
-ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21
+RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
+RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index:
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall
+++
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall
@@ -1,21 +1,21 @@
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN udplite ::/0 a:b:c::/128 DSCP
match 0x21state ESTABLISHED
-RETURN udplite ::/0 ::10.1.2.3/128 DSCP
match 0x21state ESTABLISHED
+RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udplite ::/0 a:b:c::/128 DSCP
match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN udplite ::/0 ::10.1.2.3/128 DSCP
match 0x21state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT udplite a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP
match 0x02state ESTABLISHED
-ACCEPT udplite a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
-ACCEPT udplite ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
+ACCEPT udplite a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP
match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT udplite a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT udplite ::10.1.2.3/128 ::/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT udplite ::/0 a:b:c::/128 DSCP
match 0x21
-ACCEPT udplite ::/0 ::10.1.2.3/128 DSCP
match 0x21
+RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udplite ::/0 a:b:c::/128 DSCP
match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN udplite ::/0 ::10.1.2.3/128 DSCP
match 0x21state ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall
@@ -1,21 +1,21 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED
-RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP
match 0x21state ESTABLISHED
-RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP
match 0x21state ESTABLISHED
+RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP
match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP
match 0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT udplite-- 10.1.2.3 0.0.0.0/0 DSCP
match 0x02state ESTABLISHED
-ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
-ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED
+ACCEPT udplite-- 10.1.2.3 0.0.0.0/0 DSCP
match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT udplite-- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02
-ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP
match 0x21
-ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP
match 0x21
+RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP
match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP
match 0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
===================================================================
---
libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
@@ -11,15 +11,15 @@
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state
NEW,ESTABLISHED
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state
NEW,ESTABLISHED ctdir REPLY
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match
0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED ctdir ORIGINAL
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state
NEW,ESTABLISHED ctdir REPLY
#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " "
@@ -31,15 +31,15 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp ::/0 a:b:c::/128 tcp
spts:256:4369 dpts:32:33 state ESTABLISHED
+RETURN tcp ::/0 a:b:c::/128 tcp
spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED
+ACCEPT tcp a:b:c::/128 ::/0 MAC
01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED
ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp ::/0 a:b:c::/128 tcp
spts:256:4369 dpts:32:33
+RETURN tcp ::/0 a:b:c::/128 tcp
spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
9:37 a.m.
On Thu, Oct 21, 2010 at 07:58:34AM -0400, Stefan Berger wrote:
Recent changes to how filters are being instantiated require
follow-up
changes to the test suite. The following changes are related to
- usage of 'ctdir'
- changes to the host's incoming filter chain
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
Can you resend without the whitespace problems. It is pretty hard
to read the diff to understand what has actually changed, because
the mail client has inserted arbitrary line breaks throughout :-(
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
10:45 a.m.
On 10/21/2010 10:37 AM, Daniel P. Berrange wrote:
On Thu, Oct 21, 2010 at 07:58:34AM -0400, Stefan Berger wrote:
> Recent changes to how filters are being instantiated require follow-up
> changes to the test suite. The following changes are related to
>
> - usage of 'ctdir'
> - changes to the host's incoming filter chain
>
> Signed-off-by: Stefan Berger<stefanb(a)us.ibm.com>
Can you resend without the whitespace problems. It is pretty hard
to read the diff to understand what has actually changed, because
the mail client has inserted arbitrary line breaks throughout :-(
Regards,
Daniel
I was using Thunderbird... let me retry with Evolution. I'll also send
it as an attachment.
Stefan
10:51 a.m.
On Thu, Oct 21, 2010 at 11:45:15AM -0400, Stefan Berger wrote:
On 10/21/2010 10:37 AM, Daniel P. Berrange wrote:
>On Thu, Oct 21, 2010 at 07:58:34AM -0400, Stefan Berger wrote:
>> Recent changes to how filters are being instantiated require follow-up
>>changes to the test suite. The following changes are related to
>>
>>- usage of 'ctdir'
>>- changes to the host's incoming filter chain
>>
>>Signed-off-by: Stefan Berger<stefanb(a)us.ibm.com>
>Can you resend without the whitespace problems. It is pretty hard
>to read the diff to understand what has actually changed, because
>the mail client has inserted arbitrary line breaks throughout :-(
>
>Regards,
>Daniel
I was using Thunderbird... let me retry with Evolution. I'll also send
it as an attachment.
Most reliable is to just use git send-email :-)
The kernel Documentation/email-clients.txt has some tips on how to
stop thunderbird mangling patches, but it sounds painful...
[quote]
By default, thunderbird likes to mangle text, but there are ways to
coerce it into being nice.
- Under account settings, composition and addressing, uncheck "Compose
messages in HTML format".
- Edit your Thunderbird config settings to tell it not to wrap lines:
user_pref("mailnews.wraplength", 0);
- Edit your Thunderbird config settings so that it won't use format=flowed:
user_pref("mailnews.send_plaintext_flowed", false);
- You need to get Thunderbird into preformat mode:
. If you compose HTML messages by default, it's not too hard. Just select
"Preformat" from the drop-down box just under the subject line.
. If you compose in text by default, you have to tell it to compose a new
message in HTML (just as a one-off), and then force it from there back to
text, else it will wrap lines. To do this, use shift-click on the Write
icon to compose to get HTML compose mode, then select "Preformat" from
the drop-down box just under the subject line.
- Allows use of an external editor:
The easiest thing to do with Thunderbird and patches is to use an
"external editor" extension and then just use your favorite $EDITOR
for reading/merging patches into the body text. To do this, download
and install the extension, then add a button for it using
View->Toolbars->Customize... and finally just click on it when in the
Compose dialog.
[/quote]
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
5148
days inactive
5148
days old
3 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Stefan Berger