openkylin
/
libvirt
mirror of https://gitee.com/openkylin/libvirt.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add a test suite for nwfilter ebiptables tech driver 

Create a nwfilterxml2firewalltest to exercise the
ebiptables_driver.applyNewRules method with a variety of
different XML input files. The XML input files are taken
from the libvirt-tck nwfilter tests. While the nwfilter
tests verify the final state of the iptables chains, this
test verifies the set of commands invoked to create the
chains.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrange 2014-04-01 07:19:38 +01:00
parent 4131bff5b7
commit 3ba789ccd5
85 changed files with 2610 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/conf/nwfilter_params.c
View File

@ -252,6 +252,21 @@ virNWFilterVarValueAddValue(virNWFilterVarValuePtr val, char *value)
return rc;
}
int
virNWFilterVarValueAddValueCopy(virNWFilterVarValuePtr val, const char *value)
{
char *valdup;
if (VIR_STRDUP(valdup, value) < 0)
return -1;
if (virNWFilterVarValueAddValue(val, valdup) < 0) {
VIR_FREE(valdup);
return -1;
}
return 0;
}
static int
virNWFilterVarValueDelNthValue(virNWFilterVarValuePtr val, unsigned int pos)
{

1
src/conf/nwfilter_params.h
View File

@ -60,6 +60,7 @@ unsigned int virNWFilterVarValueGetCardinality(const virNWFilterVarValue *);
bool virNWFilterVarValueEqual(const virNWFilterVarValue *a,
const virNWFilterVarValue *b);
int virNWFilterVarValueAddValue(virNWFilterVarValuePtr val, char *value);
int virNWFilterVarValueAddValueCopy(virNWFilterVarValuePtr val, const char *value);
int virNWFilterVarValueDelValue(virNWFilterVarValuePtr val, const char *value);
typedef struct _virNWFilterHashTable virNWFilterHashTable;

2
src/libvirt_private.syms
View File

@ -576,6 +576,7 @@ virNWFilterConfLayerInit;
virNWFilterConfLayerShutdown;
virNWFilterDefFormat;
virNWFilterDefFree;
virNWFilterDefParseFile;
virNWFilterDefParseString;
virNWFilterInstFiltersOnAllVMs;
virNWFilterJumpTargetTypeToString;
@ -628,6 +629,7 @@ virNWFilterVarCombIterFree;
virNWFilterVarCombIterGetVarValue;
virNWFilterVarCombIterNext;
virNWFilterVarValueAddValue;
virNWFilterVarValueAddValueCopy;
virNWFilterVarValueCopy;
virNWFilterVarValueCreateSimple;
virNWFilterVarValueCreateSimpleCopyValue;

7
tests/Makefile.am
View File

@ -274,6 +274,7 @@ test_programs += nwfilterxml2xmltest
if WITH_NWFILTER
test_programs += nwfilterebiptablestest
test_programs += nwfilterxml2firewalltest
endif WITH_NWFILTER
if WITH_STORAGE
@ -705,6 +706,12 @@ nwfilterebiptablestest_SOURCES = \
nwfilterebiptablestest.c \
testutils.c testutils.h
nwfilterebiptablestest_LDADD = ../src/libvirt_driver_nwfilter_impl.la $(LDADDS)
nwfilterxml2firewalltest_SOURCES = \
nwfilterxml2firewalltest.c \
testutils.c testutils.h
nwfilterxml2firewalltest_LDADD = \
../src/libvirt_driver_nwfilter_impl.la $(LDADDS)
endif WITH_NWFILTER
secretxml2xmltest_SOURCES = \

20
tests/nwfilterxml2firewalldata/ah-ipv6-linux.args Normal file
View File

@ -0,0 +1,20 @@
ip6tables -A FJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
--state NEW,ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p ah --destination f:e:d::c:b:a/127 \
--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
--state NEW,ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p ah --destination a:b:c::/128 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p ah --destination a:b:c::/128 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p ah --destination ::10.1.2.3/128 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p ah --destination ::10.1.2.3/128 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN

19
tests/nwfilterxml2firewalldata/ah-ipv6.xml Normal file
View File

@ -0,0 +1,19 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<ah-ipv6 srcmacaddr='1:2:3:4:5:6'
dstipaddr='a:b:c::d:e:f' dstipmask='128'
srcipaddr='f:e:d::c:b:a' srcipmask='127'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<ah-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='a:b:c::' srcipmask='128'
dscp='33'/>
</rule>
<rule action='accept' direction='in'>
<ah-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='::10.1.2.3' srcipmask='128'
dscp='33'/>
</rule>
</filter>

18
tests/nwfilterxml2firewalldata/ah-linux.args Normal file
View File

@ -0,0 +1,18 @@
iptables -A FJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p ah --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
--state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN

18
tests/nwfilterxml2firewalldata/ah.xml Normal file
View File

@ -0,0 +1,18 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<ah srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<ah srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33'/>
</rule>
<rule action='accept' direction='in'>
<ah srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33'/>
</rule>
</filter>

20
tests/nwfilterxml2firewalldata/all-ipv6-linux.args Normal file
View File

@ -0,0 +1,20 @@
ip6tables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
--state NEW,ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p all --destination f:e:d::c:b:a/127 \
--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
--state NEW,ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p all --destination a:b:c::/128 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p all --destination a:b:c::/128 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p all --destination ::10.1.2.3/128 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p all --destination ::10.1.2.3/128 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN

19
tests/nwfilterxml2firewalldata/all-ipv6.xml Normal file
View File

@ -0,0 +1,19 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<all-ipv6 srcmacaddr='1:2:3:4:5:6'
dstipaddr='a:b:c::d:e:f' dstipmask='128'
srcipaddr='f:e:d::c:b:a' srcipmask='127'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<all-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='a:b:c::' srcipmask='128'
dscp='33'/>
</rule>
<rule action='accept' direction='in'>
<all-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='::10.1.2.3' srcipmask='128'
dscp='33'/>
</rule>
</filter>

18
tests/nwfilterxml2firewalldata/all-linux.args Normal file
View File

@ -0,0 +1,18 @@
iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
--state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN

18
tests/nwfilterxml2firewalldata/all.xml Normal file
View File

@ -0,0 +1,18 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<all srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<all srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33'/>
</rule>
<rule action='accept' direction='in'>
<all srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33'/>
</rule>
</filter>

11
tests/nwfilterxml2firewalldata/arp-linux.args Normal file
View File

@ -0,0 +1,11 @@
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 12 --arp-opcode 1 \
--arp-ptype 0x22 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 --arp-htype 255 --arp-opcode 1 --arp-ptype 0xff -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 --arp-htype 256 --arp-opcode 11 --arp-ptype 0x100 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 --arp-htype 65535 --arp-opcode 65535 --arp-ptype 0xffff -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -p 0x806 --arp-gratuitous -j ACCEPT

32
tests/nwfilterxml2firewalldata/arp.xml Normal file
View File

@ -0,0 +1,32 @@
<filter name='tck-testcase'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
protocolid='arp'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
hwtype='12'
protocoltype='34'
opcode='Request'
arpsrcmacaddr='1:2:3:4:5:6'
arpdstmacaddr='a:b:c:d:e:f'/>
</rule>
<rule action='accept' direction='out'>
<arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
opcode='1' hwtype='255' protocoltype='255'/>
</rule>
<rule action='accept' direction='out'>
<arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
opcode='11' hwtype='256' protocoltype='256'/>
</rule>
<rule action='accept' direction='out'>
<arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
opcode='65535' hwtype='65535' protocoltype='65535' />
</rule>
<rule action='accept' direction='in'>
<arp gratuitous='true'/>
</rule>
</filter>

49
tests/nwfilterxml2firewalldata/comment-linux.args Normal file
View File

@ -0,0 +1,49 @@
ebtables -t nat -A libvirt-P-vnet0 -p 0x1234 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \
--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 291:564 \
--ip-destination-port 13398:17767 --ip-tos 0x32 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \
--ip6-destination ::10.1.2.3/113 --ip6-protocol 6 --ip6-source-port 273:400 \
--ip6-destination-port 13107:65535 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 18 --arp-opcode 1 \
--arp-ptype 0x56 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT
iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \
--state NEW,ESTABLISHED -m comment --comment 'udp rule' -j RETURN
iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 34 \
--dport 291:400 --sport 564:1092 -m state --state ESTABLISHED -m comment \
--comment 'udp rule' -j ACCEPT
iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \
--state NEW,ESTABLISHED -m comment --comment 'udp rule' -j RETURN
ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \
--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -m comment \
--comment 'tcp/ipv6 rule' -j RETURN
ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 -m dscp --dscp 57 --sport 32:33 --dport 256:4369 -m state \
--state NEW,ESTABLISHED -m comment --comment 'tcp/ipv6 rule' -j ACCEPT
ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \
--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -m comment \
--comment 'tcp/ipv6 rule' -j RETURN
ip6tables -A FJ-vnet0 -p udp -m state --state ESTABLISHED -m comment \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' -j RETURN
ip6tables -A FP-vnet0 -p udp -m state --state NEW,ESTABLISHED -m comment \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' -j ACCEPT
ip6tables -A HJ-vnet0 -p udp -m state --state ESTABLISHED -m comment \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' -j RETURN
ip6tables -A FJ-vnet0 -p sctp -m state --state ESTABLISHED -m comment \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' -j RETURN
ip6tables -A FP-vnet0 -p sctp -m state --state NEW,ESTABLISHED -m comment \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' -j ACCEPT
ip6tables -A HJ-vnet0 -p sctp -m state --state ESTABLISHED -m comment \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' -j RETURN
ip6tables -A FJ-vnet0 -p ah -m state --state ESTABLISHED -m comment \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' -j RETURN
ip6tables -A FP-vnet0 -p ah -m state --state NEW,ESTABLISHED -m comment \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' -j ACCEPT
ip6tables -A HJ-vnet0 -p ah -m state --state ESTABLISHED -m comment \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' -j RETURN

71
tests/nwfilterxml2firewalldata/comment.xml Normal file
View File

@ -0,0 +1,71 @@
<filter name='tck-testcase'>
<uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
<rule action='accept' direction='in'>
<mac protocolid='0x1234' comment='mac rule'/>
</rule>
<rule action='accept' direction='out'>
<ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
srcipaddr='10.1.2.3' srcipmask='255.255.255.255'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
protocol='udp'
srcportstart='0x123' srcportend='0x234'
dstportstart='0x3456' dstportend='0x4567'
dscp='0x32' comment='ip rule'/>
</rule>
<rule action='accept' direction='out'>
<ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80'
srcipaddr='::10.1.2.3' srcipmask='22'
dstipaddr='::10.1.2.3'
dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000'
protocol='tcp'
srcportstart='0x111' srcportend='400'
dstportstart='0x3333' dstportend='65535' comment='ipv6 rule'/>
</rule>
<rule action='accept' direction='out'>
<arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
hwtype='0x12'
protocoltype='0x56'
opcode='Request'
arpsrcmacaddr='1:2:3:4:5:6'
arpdstmacaddr='a:b:c:d:e:f'
comment='arp rule'/>
</rule>
<rule action='accept' direction='out'>
<udp srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='0x22'
srcportstart='0x123' srcportend='400'
dstportstart='0x234' dstportend='0x444'
comment='udp rule'/>
</rule>
<rule action='accept' direction='in'>
<tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='a:b:c::' srcipmask='128'
dscp='0x39'
srcportstart='0x20' srcportend='0x21'
dstportstart='0x100' dstportend='0x1111'
comment='tcp/ipv6 rule'/>
</rule>
<rule action='accept' direction='in'>
<udp-ipv6 comment='`ls`;${COLUMNS};$(ls);"test";&amp;&apos;3 spaces&apos;'/>
</rule>
<rule action='accept' direction='in'>
<sctp-ipv6 comment='comment with lone &apos;, `, ", `, \, $x, and two spaces'/>
</rule>
<rule action='accept' direction='in'>
<ah-ipv6 comment='tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat &lt; ${tmp}; rm -f ${tmp}'/>
</rule>
</filter>

7
tests/nwfilterxml2firewalldata/conntrack-linux.args Normal file
View File

@ -0,0 +1,7 @@
iptables -A FJ-vnet0 -p icmp -m connlimit --connlimit-above 1 -j DROP
iptables -A HJ-vnet0 -p icmp -m connlimit --connlimit-above 1 -j DROP
iptables -A FJ-vnet0 -p tcp -m connlimit --connlimit-above 2 -j DROP
iptables -A HJ-vnet0 -p tcp -m connlimit --connlimit-above 2 -j DROP
iptables -A FJ-vnet0 -p all -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p all -m state --state NEW,ESTABLISHED -j RETURN

12
tests/nwfilterxml2firewalldata/conntrack.xml Normal file
View File

@ -0,0 +1,12 @@
<filter name='tck-testcase' chain='root'>
<uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
<rule action='drop' direction='out' priority='500'>
<icmp connlimit-above='1'/>
</rule>
<rule action='drop' direction='out' priority='500'>
<tcp connlimit-above='2'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<all/>
</rule>
</filter>

20
tests/nwfilterxml2firewalldata/esp-ipv6-linux.args Normal file
View File

@ -0,0 +1,20 @@
ip6tables -A FJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
--state NEW,ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p esp --destination f:e:d::c:b:a/127 \
--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
--state NEW,ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p esp --destination a:b:c::/128 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p esp --destination a:b:c::/128 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p esp --destination ::10.1.2.3/128 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p esp --destination ::10.1.2.3/128 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN

19
tests/nwfilterxml2firewalldata/esp-ipv6.xml Normal file
View File

@ -0,0 +1,19 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<esp-ipv6 srcmacaddr='1:2:3:4:5:6'
dstipaddr='a:b:c::d:e:f' dstipmask='128'
srcipaddr='f:e:d::c:b:a' srcipmask='127'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<esp-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='a:b:c::' srcipmask='128'
dscp='33'/>
</rule>
<rule action='accept' direction='in'>
<esp-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='::10.1.2.3' srcipmask='128'
dscp='33'/>
</rule>
</filter>

18
tests/nwfilterxml2firewalldata/esp-linux.args Normal file
View File

@ -0,0 +1,18 @@
iptables -A FJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p esp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
--state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN

18
tests/nwfilterxml2firewalldata/esp.xml Normal file
View File

@ -0,0 +1,18 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<esp srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<esp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33'/>
</rule>
<rule action='accept' direction='in'>
<esp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33'/>
</rule>
</filter>

13
tests/nwfilterxml2firewalldata/example-1-linux.args Normal file
View File

@ -0,0 +1,13 @@
iptables -A FJ-vnet0 -p tcp --sport 22 -m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED \
-j ACCEPT
iptables -A HJ-vnet0 -p tcp --sport 22 -m state --state ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p icmp -m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p icmp -m state --state ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p all -j DROP
iptables -A FP-vnet0 -p all -j DROP
iptables -A HJ-vnet0 -p all -j DROP

24
tests/nwfilterxml2firewalldata/example-1.xml Normal file
View File

@ -0,0 +1,24 @@
<filter name='tck-testcase'>
<uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
<!-- allow incoming ssh connections -->
<rule action='accept' direction='in' priority='100'>
<tcp dstportstart='22'/>
</rule>
<!-- allow incoming ICMP (ping) packets -->
<rule action='accept' direction='in' priority='200'>
<icmp/>
</rule>
<!-- allow all outgoing traffic -->
<rule action='accept' direction='in' priority='300'>
<all/>
</rule>
<!-- drop all other traffic -->
<rule action='drop' direction='inout' priority='1000'>
<all/>
</rule>
</filter>

20
tests/nwfilterxml2firewalldata/example-2-linux.args Normal file
View File

@ -0,0 +1,20 @@
iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED,RELATED -m comment \
--comment 'out: existing and related (ftp) connections' -j RETURN
iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED,RELATED -m comment \
--comment 'out: existing and related (ftp) connections' -j RETURN
iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -m comment \
--comment 'in: existing connections' -j ACCEPT
iptables -A FP-vnet0 -p tcp --dport 21:22 -m state --state NEW -m comment \
--comment 'in: ftp and ssh' -j ACCEPT
iptables -A FP-vnet0 -p icmp -m state --state NEW -m comment \
--comment 'in: icmp' -j ACCEPT
iptables -A FJ-vnet0 -p udp --dport 53 -m state --state NEW -m comment \
--comment 'out: DNS lookups' -j RETURN
iptables -A HJ-vnet0 -p udp --dport 53 -m state --state NEW -m comment \
--comment 'out: DNS lookups' -j RETURN
iptables -A FJ-vnet0 -p all -m comment \
--comment 'inout: drop all non-accepted traffic' -j DROP
iptables -A FP-vnet0 -p all -m comment \
--comment 'inout: drop all non-accepted traffic' -j DROP
iptables -A HJ-vnet0 -p all -m comment \
--comment 'inout: drop all non-accepted traffic' -j DROP

37
tests/nwfilterxml2firewalldata/example-2.xml Normal file
View File

@ -0,0 +1,37 @@
<filter name='tck-testcase'>
<uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
<!-- VM outgoing: allow all established and related connections -->
<rule action='accept' direction='out' priority='100'>
<all state='ESTABLISHED,RELATED'
comment='out: existing and related (ftp) connections'/>
</rule>
<!-- VM incoming: allow all established connections -->
<rule action='accept' direction='in' priority='100'>
<all state='ESTABLISHED'
comment='in: existing connections'/>
</rule>
<!-- allow incoming ssh and ftp traffic -->
<rule action='accept' direction='in' priority='200'>
<tcp dstportstart='21' dstportend='22' state='NEW'
comment='in: ftp and ssh'/>
</rule>
<!-- allow incoming ICMP (ping) packets -->
<rule action='accept' direction='in' priority='300'>
<icmp state='NEW' comment='in: icmp'/>
</rule>
<!-- allow outgong DNS lookups -->
<rule action='accept' direction='out' priority='300'>
<udp dstportstart='53' state='NEW' comment='out: DNS lookups'/>
</rule>
<!-- drop all other traffic -->
<rule action='drop' direction='inout' priority='1000'>
<all comment='inout: drop all non-accepted traffic'/>
</rule>
</filter>

28
tests/nwfilterxml2firewalldata/hex-data-linux.args Normal file
View File

@ -0,0 +1,28 @@
ebtables -t nat -A libvirt-P-vnet0 -p 0x1234 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \
--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 291:564 \
--ip-destination-port 13398:17767 --ip-tos 0x32 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \
--ip6-destination ::10.1.2.3/113 --ip6-protocol 6 --ip6-source-port 273:400 \
--ip6-destination-port 13107:65535 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 18 --arp-opcode 1 \
--arp-ptype 0x56 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT
iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \
--state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 34 \
--dport 291:400 --sport 564:1092 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \
--state NEW,ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \
--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 -m dscp --dscp 57 --sport 32:33 --dport 256:4369 -m state \
--state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \
--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -j RETURN

56
tests/nwfilterxml2firewalldata/hex-data.xml Normal file
View File

@ -0,0 +1,56 @@
<filter name='tck-testcase'>
<uuid>01a992d2-f8c8-7c27-f69b-ab0a9d377379</uuid>
<rule action='accept' direction='in'>
<mac protocolid='0x1234'/>
</rule>
<rule action='accept' direction='out'>
<ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
srcipaddr='10.1.2.3' srcipmask='255.255.255.255'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
protocol='udp'
srcportstart='0x123' srcportend='0x234'
dstportstart='0x3456' dstportend='0x4567'
dscp='0x32'/>
</rule>
<rule action='accept' direction='out'>
<ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80'
srcipaddr='::10.1.2.3' srcipmask='22'
dstipaddr='::10.1.2.3'
dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000'
protocol='tcp'
srcportstart='0x111' srcportend='400'
dstportstart='0x3333' dstportend='65535'/>
</rule>
<rule action='accept' direction='out'>
<arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
hwtype='0x12'
protocoltype='0x56'
opcode='Request'
arpsrcmacaddr='1:2:3:4:5:6'
arpdstmacaddr='a:b:c:d:e:f'/>
</rule>
<rule action='accept' direction='out'>
<udp srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='0x22'
srcportstart='0x123' srcportend='400'
dstportstart='0x234' dstportend='0x444'/>
</rule>
<rule action='accept' direction='in'>
<tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='a:b:c::' srcipmask='128'
dscp='0x39'
srcportstart='0x20' srcportend='0x21'
dstportstart='0x100' dstportend='0x1111'/>
</rule>
</filter>

9
tests/nwfilterxml2firewalldata/icmp-direction-linux.args Normal file
View File

@ -0,0 +1,9 @@
iptables -A FP-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \
-j ACCEPT
iptables -A FJ-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \
-j RETURN
iptables -A HJ-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \
-j RETURN
iptables -A FJ-vnet0 -p icmp -j DROP
iptables -A FP-vnet0 -p icmp -j DROP
iptables -A HJ-vnet0 -p icmp -j DROP

15
tests/nwfilterxml2firewalldata/icmp-direction.xml Normal file
View File

@ -0,0 +1,15 @@
<filter name='tck-testcase'>
<uuid>f4b3f745-d23d-2ee6-218a-d5671611229b</uuid>
<!-- allow incoming ICMP Echo Reply -->
<rule action='accept' direction='in' priority='500'>
<icmp type='0'/>
</rule>
<!-- allow outgoing ICMP Echo Request -->
<rule action='accept' direction='out' priority='500'>
<icmp type='8'/>
</rule>
<!-- drop all other ICMP traffic -->
<rule action='drop' direction='inout' priority='600'>
<icmp/>
</rule>
</filter>

9
tests/nwfilterxml2firewalldata/icmp-direction2-linux.args Normal file
View File

@ -0,0 +1,9 @@
iptables -A FP-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \
-j ACCEPT
iptables -A FJ-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \
-j RETURN
iptables -A HJ-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \
-j RETURN
iptables -A FJ-vnet0 -p icmp -j DROP
iptables -A FP-vnet0 -p icmp -j DROP
iptables -A HJ-vnet0 -p icmp -j DROP

15
tests/nwfilterxml2firewalldata/icmp-direction2.xml Normal file
View File

@ -0,0 +1,15 @@
<filter name='tck-testcase'>
<uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
<!-- allow incoming ICMP Echo Request -->
<rule action='accept' direction='in' priority='500'>
<icmp type='8'/>
</rule>
<!-- allow outgoing ICMP Echo Reply -->
<rule action='accept' direction='out' priority='500'>
<icmp type='0'/>
</rule>
<!-- drop all other ICMP traffic -->
<rule action='drop' direction='inout' priority='600'>
<icmp/>
</rule>
</filter>

6
tests/nwfilterxml2firewalldata/icmp-direction3-linux.args Normal file
View File

@ -0,0 +1,6 @@
iptables -A FJ-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p icmp -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p all -j DROP
iptables -A FP-vnet0 -p all -j DROP
iptables -A HJ-vnet0 -p all -j DROP

10
tests/nwfilterxml2firewalldata/icmp-direction3.xml Normal file
View File

@ -0,0 +1,10 @@
<filter name='tck-testcase'>
<uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
<rule action='accept' direction='out' priority='500'>
<icmp/>
</rule>
<!-- drop all other traffic -->
<rule action='drop' direction='inout' priority='600'>
<all/>
</rule>
</filter>

9
tests/nwfilterxml2firewalldata/icmp-linux.args Normal file
View File

@ -0,0 +1,9 @@
iptables -A FJ-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 --icmp-type 12/11 -m state \
--state NEW,ESTABLISHED -j RETURN
iptables -A HJ-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 --icmp-type 12/11 -m state \
--state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 --icmp-type 255/255 -m state \
--state NEW,ESTABLISHED -j ACCEPT

13
tests/nwfilterxml2firewalldata/icmp.xml Normal file
View File

@ -0,0 +1,13 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<icmp srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2' type='12' code='11'/>
</rule>
<rule action='accept' direction='in'>
<icmp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33' type='255' code='255'/>
</rule>
</filter>

12
tests/nwfilterxml2firewalldata/icmpv6-linux.args Normal file
View File

@ -0,0 +1,12 @@
ip6tables -A FJ-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 \
--icmpv6-type 12/11 -m state --state NEW,ESTABLISHED -j RETURN
ip6tables -A HJ-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 \
--icmpv6-type 12/11 -m state --state NEW,ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 -m dscp --dscp 33 --icmpv6-type 255/255 -m state \
--state NEW,ESTABLISHED -j ACCEPT
ip6tables -A FP-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 -m dscp --dscp 33 --icmpv6-type 255/255 -m state \
--state NEW,ESTABLISHED -j ACCEPT

19
tests/nwfilterxml2firewalldata/icmpv6.xml Normal file
View File

@ -0,0 +1,19 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<icmpv6 srcmacaddr='1:2:3:4:5:6'
dstipaddr='a:b:c::d:e:f' dstipmask='128'
srcipaddr='f:e:d::c:b:a' srcipmask='127'
dscp='2' type='12' code='11'/>
</rule>
<rule action='accept' direction='in'>
<icmpv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='a:b:c::' srcipmask='128'
dscp='33' type='255' code='255'/>
</rule>
<rule action='accept' direction='in'>
<icmpv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='::10.1.2.3' srcipmask='128'
dscp='33' type='255' code='255'/>
</rule>
</filter>

18
tests/nwfilterxml2firewalldata/igmp-linux.args Normal file
View File

@ -0,0 +1,18 @@
iptables -A FJ-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p igmp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
--state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -j RETURN

18
tests/nwfilterxml2firewalldata/igmp.xml Normal file
View File

@ -0,0 +1,18 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<igmp srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<igmp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33'/>
</rule>
<rule action='accept' direction='in'>
<igmp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33'/>
</rule>
</filter>

8
tests/nwfilterxml2firewalldata/ip-linux.args Normal file
View File

@ -0,0 +1,8 @@
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \
--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 20:22 \
--ip-destination-port 100:101 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -p ipv4 --ip-source 10.1.2.3/17 \
--ip-destination 10.1.2.3/24 --ip-protocol 17 --ip-tos 0x3f -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -p ipv4 --ip-source 10.1.2.3/31 \
--ip-destination 10.1.2.3/25 --ip-protocol 255 --ip-tos 0x3f -j ACCEPT

28
tests/nwfilterxml2firewalldata/ip.xml Normal file
View File

@ -0,0 +1,28 @@
<filter name='tck-testcase'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
srcipaddr='10.1.2.3' srcipmask='255.255.255.255'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
protocol='udp'
srcportstart='20' srcportend='22'
dstportstart='100' dstportend='101'
/>
</rule>
<rule action='accept' direction='out'>
<ip srcipaddr='10.1.2.3' srcipmask='255.255.128.0'
dstipaddr='10.1.2.3' dstipmask='255.255.255.0'
protocol='17' dscp='63'
/>
</rule>
<rule action='accept' direction='in'>
<ip srcipaddr='10.1.2.3' srcipmask='255.255.255.254'
dstipaddr='10.1.2.3' dstipmask='255.255.255.128'
protocol='255' dscp='63'
/>
</rule>
</filter>

36
tests/nwfilterxml2firewalldata/ipset-linux.args Normal file
View File

@ -0,0 +1,36 @@
iptables -A FJ-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
--match-set tck_test src,dst -j RETURN
iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -m set \
--match-set tck_test dst,src -j ACCEPT
iptables -A HJ-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
--match-set tck_test src,dst -j RETURN
iptables -A FP-vnet0 -p all -m set --match-set tck_test src,dst -m comment \
--comment in+NONE -j ACCEPT
iptables -A FJ-vnet0 -p all -m set --match-set tck_test src,dst -m comment \
--comment out+NONE -j RETURN
iptables -A HJ-vnet0 -p all -m set --match-set tck_test src,dst -m comment \
--comment out+NONE -j RETURN
iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \
--match-set tck_test dst,src,dst -j RETURN
iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
--match-set tck_test src,dst,src -j ACCEPT
iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \
--match-set tck_test dst,src,dst -j RETURN
iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \
--match-set tck_test dst,src,dst -j RETURN
iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
--match-set tck_test src,dst,src -j ACCEPT
iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \
--match-set tck_test dst,src,dst -j RETURN
iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \
--match-set tck_test dst,src -j RETURN
iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
--match-set tck_test src,dst -j ACCEPT
iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \
--match-set tck_test dst,src -j RETURN
iptables -A FJ-vnet0 -p all -m set --match-set tck_test dst,src -m comment \
--comment inout -j RETURN
iptables -A FP-vnet0 -p all -m set --match-set tck_test src,dst -m comment \
--comment inout -j ACCEPT
iptables -A HJ-vnet0 -p all -m set --match-set tck_test dst,src -m comment \
--comment inout -j RETURN

25
tests/nwfilterxml2firewalldata/ipset.xml Normal file
View File

@ -0,0 +1,25 @@
<!-- #ipset help && iptables -t match-set -h && ipset list tck_test || ipset create tck_test hash:ip# -->
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<all ipset='tck_test' ipsetflags='src,dst' />
</rule>
<rule action='accept' direction='in'>
<all state='NONE' ipset='tck_test' ipsetflags='src,dst' comment='in+NONE'/>
</rule>
<rule action='accept' direction='out'>
<all state='NONE' ipset='tck_test' ipsetflags='src,dst' comment='out+NONE'/>
</rule>
<rule action='accept' direction='in'>
<all ipset='tck_test' ipsetflags='SRC,DST,SRC' />
</rule>
<rule action='accept' direction='in'>
<all ipset='tck_test' ipsetflags='SRC,dSt,SRC' />
</rule>
<rule action='accept' direction='in'>
<all ipset='$IPSETNAME' ipsetflags='src,dst' />
</rule>
<rule action='accept' direction='inout'>
<all ipset='$IPSETNAME' ipsetflags='src,dst' comment='inout'/>
</rule>
</filter>

2
tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args Normal file
View File

@ -0,0 +1,2 @@
iptables -A FP-vnet0 -p all -m mac '!' --mac-source 12:34:56:78:9a:bc -j DROP
iptables -A FP-vnet0 -p all -m mac '!' --mac-source aa:aa:aa:aa:aa:aa -j DROP

14
tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml Normal file
View File

@ -0,0 +1,14 @@
<filter name='tck-testcase'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='drop' direction='inout'>
<!-- should use $MAC for MAC address, but tests would depend on VM's
MAC address -->
<all match='no' srcmacaddr='12:34:56:78:9a:bc'/>
</rule>
<rule action='drop' direction='in'>
<!-- not accepting incoming traffic from a certain MAC address -->
<all match='no' srcmacaddr='aa:aa:aa:aa:aa:aa'/>
</rule>
</filter>

20
tests/nwfilterxml2firewalldata/ipv6-linux.args Normal file
View File

@ -0,0 +1,20 @@
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \
--ip6-destination ::10.1.2.3/113 --ip6-protocol 17 --ip6-source-port 20:22 \
--ip6-destination-port 100:101 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
--ip6-source a:b:c::/65 --ip6-protocol 6 --ip6-destination-port 20:22 \
--ip6-source-port 100:101 -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
--ip6-destination a:b:c::/65 --ip6-protocol 6 --ip6-source-port 20:22 \
--ip6-destination-port 100:101 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
--ip6-source a:b:c::/65 --ip6-protocol 6 --ip6-destination-port 255:256 \
--ip6-source-port 65535:65535 -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
--ip6-destination a:b:c::/65 --ip6-protocol 6 --ip6-source-port 255:256 \
--ip6-destination-port 65535:65535 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
--ip6-source a:b:c::/65 --ip6-protocol 18 -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
--ip6-destination a:b:c::/65 --ip6-protocol 18 -j ACCEPT

43
tests/nwfilterxml2firewalldata/ipv6.xml Normal file
View File

@ -0,0 +1,43 @@
<filter name='tck-testcase'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80'
srcipaddr='::10.1.2.3' srcipmask='22'
dstipaddr='::10.1.2.3'
dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000'
protocol='udp'
srcportstart='20' srcportend='22'
dstportstart='100' dstportend='101'
/>
</rule>
<rule action='accept' direction='inout'>
<ipv6 srcipaddr='1::2' srcipmask='128'
dstipaddr='a:b:c::'
dstipmask='ffff:ffff:ffff:ffff:8000::'
protocol='6'
srcportstart='20' srcportend='22'
dstportstart='100' dstportend='101'
/>
</rule>
<rule action='accept' direction='inout'>
<ipv6 srcipaddr='1::2' srcipmask='128'
dstipaddr='a:b:c::'
dstipmask='ffff:ffff:ffff:ffff:8000::'
protocol='6'
srcportstart='255' srcportend='256'
dstportstart='65535' dstportend='65535'
/>
</rule>
<rule action='accept' direction='inout'>
<ipv6 srcipaddr='1::2' srcipmask='128'
dstipaddr='a:b:c::'
dstipmask='ffff:ffff:ffff:ffff:8000::'
protocol='18'
/>
</rule>
</filter>

18
tests/nwfilterxml2firewalldata/iter1-linux.args Normal file
View File

@ -0,0 +1,18 @@
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 2 --dport 80 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 2 --dport 80 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN

6
tests/nwfilterxml2firewalldata/iter1.xml Normal file
View File

@ -0,0 +1,6 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<tcp srcipaddr='$A' srcportstart='$B' dscp='2'/>
</rule>
</filter>

342
tests/nwfilterxml2firewalldata/iter2-linux.args Normal file
View File

@ -0,0 +1,342 @@
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 80 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 1 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 1 --dport 90 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 1 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 1 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 1 --dport 80 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 1 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 1.1.1.1 -m dscp --dscp 2 --dport 80 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 80 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 3.3.3.3 -m dscp --dscp 2 --dport 80 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 1.1.1.1 -m dscp --dscp 2 --dport 90 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 3.3.3.3 -m dscp --dscp 2 --dport 90 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \
--dport 80 --sport 1080 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
--dport 80 --sport 1080 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \
--dport 80 --sport 1080 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 90 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \
--dport 90 --sport 1090 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 90 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 90 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
--dport 90 --sport 1090 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 90 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 90 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \
--dport 90 --sport 1090 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 90 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \
--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \
--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \
--dport 80 --sport 1110 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
--dport 80 --sport 1110 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \
--dport 80 --sport 1110 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80 \
--sport 1080 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80 \
--sport 1080 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80 \
--sport 1080 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90 \
--sport 1080 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90 \
--sport 1080 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90 \
--sport 1080 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80 \
--sport 1090 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80 \
--sport 1090 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80 \
--sport 1090 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90 \
--sport 1090 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90 \
--sport 1090 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90 \
--sport 1090 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80 \
--sport 1100 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80 \
--sport 1100 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80 \
--sport 1100 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90 \
--sport 1100 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90 \
--sport 1100 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90 \
--sport 1100 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80 \
--sport 1110 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80 \
--sport 1110 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80 \
--sport 1110 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90 \
--sport 1110 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90 \
--sport 1110 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90 \
--sport 1110 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 1.1.1.1 --source 1.1.1.1 -m dscp \
--dscp 5 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 2.2.2.2 --destination 1.1.1.1 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 2.2.2.2 --source 1.1.1.1 -m dscp \
--dscp 5 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 2.2.2.2 --destination 1.1.1.1 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 3.3.3.3 --destination 1.1.1.1 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 3.3.3.3 --source 1.1.1.1 -m dscp \
--dscp 5 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 3.3.3.3 --destination 1.1.1.1 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 1.1.1.1 --destination 2.2.2.2 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 1.1.1.1 --source 2.2.2.2 -m dscp \
--dscp 5 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 1.1.1.1 --destination 2.2.2.2 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 2.2.2.2 --source 2.2.2.2 -m dscp \
--dscp 5 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 3.3.3.3 --destination 2.2.2.2 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 3.3.3.3 --source 2.2.2.2 -m dscp \
--dscp 5 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 3.3.3.3 --destination 2.2.2.2 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 1.1.1.1 --destination 3.3.3.3 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 1.1.1.1 --source 3.3.3.3 -m dscp \
--dscp 5 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 1.1.1.1 --destination 3.3.3.3 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 2.2.2.2 --destination 3.3.3.3 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 2.2.2.2 --source 3.3.3.3 -m dscp \
--dscp 5 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 2.2.2.2 --destination 3.3.3.3 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 3.3.3.3 --source 3.3.3.3 -m dscp \
--dscp 5 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \
--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \
--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 --source 1.1.1.1 -m dscp \
--dscp 6 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \
--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \
--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 --source 2.2.2.2 -m dscp \
--dscp 6 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \
--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \
--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 --source 3.3.3.3 -m dscp \
--dscp 6 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \
--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN

23
tests/nwfilterxml2firewalldata/iter2.xml Normal file
View File

@ -0,0 +1,23 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<tcp srcipaddr='$A' srcportstart='$B[@0]' dscp='1'/>
</rule>
<rule action='accept' direction='out'>
<udp srcipaddr='$A[@1]' srcportstart='$B[@2]' dscp='2'/>
</rule>
<rule action='accept' direction='out'>
<sctp srcipaddr='$A[@1]' srcportstart='$B[@2]' dstportstart='$C[@2]'
dscp='3'/>
</rule>
<rule action='accept' direction='out'>
<tcp srcipaddr='$A[@1]' srcportstart='$B[@2]' dstportstart='$C[@3]'
dscp='4'/>
</rule>
<rule action='accept' direction='out'>
<udp srcipaddr='$A[@1]' dstipaddr='$A[@2]' dscp='5'/>
</rule>
<rule action='accept' direction='out'>
<sctp srcipaddr='$A' dstipaddr='$A' dscp='6'/>
</rule>
</filter>

30
tests/nwfilterxml2firewalldata/iter3-linux.args Normal file
View File

@ -0,0 +1,30 @@
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 80 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 90 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 80 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
-m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN

13
tests/nwfilterxml2firewalldata/iter3.xml Normal file
View File

@ -0,0 +1,13 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<tcp srcipaddr='$A[ 0]' srcportstart='$B[ @0 ] ' dscp='1'/>
</rule>
<rule action='accept' direction='out'>
<udp srcipaddr='$A[1 ]' srcportstart='$B[ @2 ]' dscp='2'/>
</rule>
<rule action='accept' direction='out'>
<sctp srcipaddr='$A[ 1 ] ' srcportstart='$B[2 ] ' dstportstart='$C[ 2 ]'
dscp='3'/>
</rule>
</filter>

8
tests/nwfilterxml2firewalldata/mac-linux.args Normal file
View File

@ -0,0 +1,8 @@
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x600 -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0xffff -j ACCEPT

19
tests/nwfilterxml2firewalldata/mac.xml Normal file
View File

@ -0,0 +1,19 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
protocolid='arp'/>
</rule>
<rule action='accept' direction='in'>
<mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
protocolid='ipv4'/>
</rule>
<rule action='accept' direction='in'>
<mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
protocolid='1536'/>
</rule>
<rule action='accept' direction='in'>
<mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
protocolid='65535'/>
</rule>
</filter>

12
tests/nwfilterxml2firewalldata/rarp-linux.args Normal file
View File

@ -0,0 +1,12 @@
ebtables -t nat -N libvirt-J-vnet0
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8035 --arp-htype 12 --arp-opcode 1 \
--arp-ptype 0x22 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x8035 --arp-htype 255 --arp-opcode 1 --arp-ptype 0xff -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x8035 --arp-htype 256 --arp-opcode 11 --arp-ptype 0x100 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x8035 --arp-htype 65535 --arp-opcode 65535 --arp-ptype 0xffff -j ACCEPT
ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0

28
tests/nwfilterxml2firewalldata/rarp.xml Normal file
View File

@ -0,0 +1,28 @@
<filter name='tck-testcase'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
protocolid='rarp'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
hwtype='12'
protocoltype='34'
opcode='Request'
arpsrcmacaddr='1:2:3:4:5:6'
arpdstmacaddr='a:b:c:d:e:f'/>
</rule>
<rule action='accept' direction='out'>
<rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
opcode='1' hwtype='255' protocoltype='255'/>
</rule>
<rule action='accept' direction='out'>
<rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
opcode='11' hwtype='256' protocoltype='256'/>
</rule>
<rule action='accept' direction='out'>
<rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
opcode='65535' hwtype='65535' protocoltype='65535' />
</rule>
</filter>

18
tests/nwfilterxml2firewalldata/ref-rule.xml Normal file
View File

@ -0,0 +1,18 @@
<filter name='tck-testcase'>
<uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid>
<filterref filter='clean-traffic'/>
<rule action='accept' direction='out'>
<mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
protocolid='arp'/>
</rule>
<rule action='accept' direction='out'>
<tcp srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2'/>
</rule>
<rule action='accept' direction='out'>
<udp-ipv6 srcmacaddr='1:2:3:4:5:6'
dstipaddr='a:b:c::d:e:f' dstipmask='128'
dscp='2'/>
</rule>
</filter>

4
tests/nwfilterxml2firewalldata/ref.xml Normal file
View File

@ -0,0 +1,4 @@
<filter name='tck-testcase'>
<uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid>
<filterref filter='clean-traffic'/>
</filter>

22
tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args Normal file
View File

@ -0,0 +1,22 @@
ip6tables -A FJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
-j RETURN
ip6tables -A FP-vnet0 -p sctp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \
-m state --state ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
-j RETURN
ip6tables -A FJ-vnet0 -p sctp --destination a:b:c::/128 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
--state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p sctp --destination a:b:c::/128 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p sctp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
--state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p sctp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN

22
tests/nwfilterxml2firewalldata/sctp-ipv6.xml Normal file
View File

@ -0,0 +1,22 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<sctp-ipv6 srcmacaddr='1:2:3:4:5:6'
dstipaddr='a:b:c::d:e:f' dstipmask='128'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<sctp-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='a:b:c::' srcipmask='128'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
<rule action='accept' direction='in'>
<sctp-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='::10.1.2.3' srcipmask='128'
dscp='63'
srcportstart='255' srcportend='256'
dstportstart='65535' dstportend='65535'/>
</rule>
</filter>

20
tests/nwfilterxml2firewalldata/sctp-linux.args Normal file
View File

@ -0,0 +1,20 @@
iptables -A FJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
--state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
--state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
--state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN

22
tests/nwfilterxml2firewalldata/sctp.xml Normal file
View File

@ -0,0 +1,22 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<sctp srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<sctp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
<rule action='accept' direction='in'>
<sctp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='63'
srcportstart='255' srcportend='256'
dstportstart='65535' dstportend='65535'/>
</rule>
</filter>

18
tests/nwfilterxml2firewalldata/stp-linux.args Normal file
View File

@ -0,0 +1,18 @@
ebtables -t nat -F J-vnet0-stp-xyz
ebtables -t nat -X J-vnet0-stp-xyz
ebtables -t nat -N J-vnet0-stp-xyz
ebtables -t nat -A libvirt-J-vnet0 -d 01:80:c2:00:00:00 -j J-vnet0-stp-xyz
ebtables -t nat -F P-vnet0-stp-xyz
ebtables -t nat -X P-vnet0-stp-xyz
ebtables -t nat -N P-vnet0-stp-xyz
ebtables -t nat -A libvirt-P-vnet0 -d 01:80:c2:00:00:00 -j P-vnet0-stp-xyz
ebtables -t nat -A P-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d 01:80:c2:00:00:00 --stp-type 18 --stp-flags 68 -j CONTINUE
ebtables -t nat -A J-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d 01:80:c2:00:00:00 --stp-root-pri 4660:9029 \
--stp-root-addr 06:05:04:03:02:01/ff:ff:ff:ff:ff:ff \
--stp-root-cost 287454020:573785173 -j RETURN
ebtables -t nat -A P-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d 01:80:c2:00:00:00 --stp-sender-prio 4660 --stp-sender-addr 06:05:04:03:02:01 \
--stp-port 123:234 --stp-msg-age 5544:5555 --stp-max-age 7777:8888 \
--stp-hello-time 12345:12346 --stp-forward-delay 54321:65432 -j DROP

26
tests/nwfilterxml2firewalldata/stp.xml Normal file
View File

@ -0,0 +1,26 @@
<filter name='tck-testcase' chain='stp-xyz'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='continue' direction='in'>
<stp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
type='0x12' flags='0x44'/>
</rule>
<rule action='return' direction='out'>
<stp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
root-priority='0x1234' root-priority-hi='0x2345'
root-address="6:5:4:3:2:1" root-address-mask='ff:ff:ff:ff:ff:ff'
root-cost='0x11223344' root-cost-hi='0x22334455' />
</rule>
<rule action='reject' direction='in'>
<stp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
sender-priority='0x1234'
sender-address="6:5:4:3:2:1"
port='123' port-hi='234'
age='5544' age-hi='5555'
max-age='7777' max-age-hi='8888'
hello-time='12345' hello-time-hi='12346'
forward-delay='54321' forward-delay-hi='65432'/>
</rule>
</filter>

75
tests/nwfilterxml2firewalldata/target-linux.args Normal file
View File

@ -0,0 +1,75 @@
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 -j DROP
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 -j DROP
ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 -j DROP
ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 -j DROP
iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -m comment \
--comment 'accept rule -- dir out' -j RETURN
iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
--state ESTABLISHED -m comment --comment 'accept rule -- dir out' -j ACCEPT
iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -m comment \
--comment 'accept rule -- dir out' -j RETURN
iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
--comment 'drop rule -- dir out' -j DROP
iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m comment \
--comment 'drop rule -- dir out' -j DROP
iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
--comment 'drop rule -- dir out' -j DROP
iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
--comment 'reject rule -- dir out' -j REJECT
iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 \
-m comment --comment 'reject rule -- dir out' -j REJECT
iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
--comment 'reject rule -- dir out' -j REJECT
iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -m comment --comment 'accept rule -- dir in' -j RETURN
iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -m comment \
--comment 'accept rule -- dir in' -j ACCEPT
iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -m comment --comment 'accept rule -- dir in' -j RETURN
iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m comment --comment 'drop rule -- dir in' -j DROP
iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m comment --comment 'drop rule -- dir in' \
-j DROP
iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m comment --comment 'drop rule -- dir in' -j DROP
iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m comment --comment 'reject rule -- dir in' -j REJECT
iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m comment --comment 'reject rule -- dir in' \
-j REJECT
iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m comment --comment 'reject rule -- dir in' -j REJECT
iptables -A FJ-vnet0 -p all -m comment --comment 'accept rule -- dir inout' \
-j RETURN
iptables -A FP-vnet0 -p all -m comment --comment 'accept rule -- dir inout' \
-j ACCEPT
iptables -A HJ-vnet0 -p all -m comment --comment 'accept rule -- dir inout' \
-j RETURN
iptables -A FJ-vnet0 -p all -m comment --comment 'drop rule -- dir inout' \
-j DROP
iptables -A FP-vnet0 -p all -m comment --comment 'drop rule -- dir inout' \
-j DROP
iptables -A HJ-vnet0 -p all -m comment --comment 'drop rule -- dir inout' \
-j DROP
iptables -A FJ-vnet0 -p all -m comment --comment 'reject rule -- dir inout' \
-j REJECT
iptables -A FP-vnet0 -p all -m comment --comment 'reject rule -- dir inout' \
-j REJECT
iptables -A HJ-vnet0 -p all -m comment --comment 'reject rule -- dir inout' \
-j REJECT

66
tests/nwfilterxml2firewalldata/target.xml Normal file
View File

@ -0,0 +1,66 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<all srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2' comment='accept rule -- dir out'/>
</rule>
<rule action='drop' direction='out'>
<all srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2' comment='drop rule -- dir out'/>
</rule>
<rule action='reject' direction='out'>
<all srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2' comment='reject rule -- dir out'/>
</rule>
<rule action='accept' direction='in'>
<all srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33' comment='accept rule -- dir in'/>
</rule>
<rule action='drop' direction='in'>
<all srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33' comment='drop rule -- dir in'/>
</rule>
<rule action='reject' direction='in'>
<all srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33' comment='reject rule -- dir in'/>
</rule>
<rule action='accept' direction='inout'>
<all comment='accept rule -- dir inout'/>
</rule>
<rule action='drop' direction='in'>
<all comment='drop rule -- dir inout'/>
</rule>
<rule action='reject' direction='in'>
<all comment='reject rule -- dir inout'/>
</rule>
<rule action='accept' direction='out'>
<mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
protocolid='arp'/>
</rule>
<rule action='drop' direction='out'>
<mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
protocolid='arp'/>
</rule>
<rule action='reject' direction='out'>
<mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
protocolid='arp'/>
</rule>
<rule action='accept' direction='in'>
<mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
protocolid='ipv4'/>
</rule>
<rule action='drop' direction='in'>
<mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
protocolid='ipv4'/>
</rule>
<rule action='reject' direction='in'>
<mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
protocolid='ipv4'/>
</rule>
</filter>

13
tests/nwfilterxml2firewalldata/target2-linux.args Normal file
View File

@ -0,0 +1,13 @@
iptables -A FP-vnet0 -p tcp --dport 22 -j ACCEPT
iptables -A FJ-vnet0 -p tcp --sport 22 -j RETURN
iptables -A HJ-vnet0 -p tcp --sport 22 -j RETURN
iptables -A FJ-vnet0 -p tcp --sport 80 -m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED \
-j ACCEPT
iptables -A HJ-vnet0 -p tcp --sport 80 -m state --state ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp -j REJECT
iptables -A FP-vnet0 -p tcp -j REJECT
iptables -A HJ-vnet0 -p tcp -j REJECT
iptables -A FJ-vnet0 -p all -j DROP
iptables -A FP-vnet0 -p all -j DROP
iptables -A HJ-vnet0 -p all -j DROP

18
tests/nwfilterxml2firewalldata/target2.xml Normal file
View File

@ -0,0 +1,18 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='in'>
<tcp dstportstart='22' state='NONE'/>
</rule>
<rule action='accept' direction='out'>
<tcp srcportstart='22' state='NONE'/>
</rule>
<rule action='accept' direction='in'>
<tcp dstportstart='80'/>
</rule>
<rule action='reject' direction='inout'>
<tcp/>
</rule>
<rule action='drop' direction='inout'>
<all/>
</rule>
</filter>

22
tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args Normal file
View File

@ -0,0 +1,22 @@
ip6tables -A FJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
-j RETURN
ip6tables -A FP-vnet0 -p tcp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \
-m state --state ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
-j RETURN
ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
--state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p tcp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
--state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p tcp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN

22
tests/nwfilterxml2firewalldata/tcp-ipv6.xml Normal file
View File

@ -0,0 +1,22 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
dstipaddr='a:b:c::d:e:f' dstipmask='128'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='a:b:c::' srcipmask='128'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
<rule action='accept' direction='in'>
<tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='::10.1.2.3' srcipmask='128'
dscp='63'
srcportstart='255' srcportend='256'
dstportstart='65535' dstportend='65535'/>
</rule>
</filter>

22
tests/nwfilterxml2firewalldata/tcp-linux.args Normal file
View File

@ -0,0 +1,22 @@
iptables -A FJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p tcp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
--state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -j RETURN
iptables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -j ACCEPT
iptables -A HJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -j RETURN
iptables -A FJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -j RETURN
iptables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -j ACCEPT
iptables -A HJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -j RETURN
iptables -A FP-vnet0 -p tcp --tcp-flags SYN ALL -j ACCEPT
iptables -A FP-vnet0 -p tcp --tcp-flags SYN SYN,ACK -j ACCEPT
iptables -A FP-vnet0 -p tcp --tcp-flags RST NONE -j ACCEPT
iptables -A FP-vnet0 -p tcp --tcp-flags PSH NONE -j ACCEPT

34
tests/nwfilterxml2firewalldata/tcp.xml Normal file
View File

@ -0,0 +1,34 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<tcp srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2'/>
</rule>
<rule action='accept' direction='in' statematch='false'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
<rule action='accept' direction='in' statematch='0'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='63'
srcportstart='255' srcportend='256'
dstportstart='65535' dstportend='65535'/>
</rule>
<rule action='accept' direction='in'>
<tcp state='NONE' flags='SYN/ALL'/>
</rule>
<rule action='accept' direction='in'>
<tcp state='NONE' flags='SYN/SYN,ACK'/>
</rule>
<rule action='accept' direction='in'>
<tcp state='NONE' flags='RST/NONE'/>
</rule>
<rule action='accept' direction='in'>
<tcp state='NONE' flags='PSH/'/>
</rule>
</filter>

22
tests/nwfilterxml2firewalldata/udp-ipv6-linux.args Normal file
View File

@ -0,0 +1,22 @@
ip6tables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
-j RETURN
ip6tables -A FP-vnet0 -p udp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \
-m state --state ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
-j RETURN
ip6tables -A FJ-vnet0 -p udp --destination ::a:b:c/128 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--source ::a:b:c/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
--state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p udp --destination ::a:b:c/128 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p udp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 \
-m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p udp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN

22
tests/nwfilterxml2firewalldata/udp-ipv6.xml Normal file
View File

@ -0,0 +1,22 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<udp-ipv6 srcmacaddr='1:2:3:4:5:6'
dstipaddr='a:b:c::d:e:f' dstipmask='128'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<udp-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='::a:b:c' srcipmask='128'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
<rule action='accept' direction='in'>
<udp-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='::10.1.2.3' srcipmask='128'
dscp='63'
srcportstart='255' srcportend='256'
dstportstart='65535' dstportend='65535'/>
</rule>
</filter>

20
tests/nwfilterxml2firewalldata/udp-linux.args Normal file
View File

@ -0,0 +1,20 @@
iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
--state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
--state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
--state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN

22
tests/nwfilterxml2firewalldata/udp.xml Normal file
View File

@ -0,0 +1,22 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<udp srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<udp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
<rule action='accept' direction='in'>
<udp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='63'
srcportstart='255' srcportend='256'
dstportstart='65535' dstportend='65535'/>
</rule>
</filter>

20
tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args Normal file
View File

@ -0,0 +1,20 @@
ip6tables -A FJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
--state NEW,ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p udplite --destination f:e:d::c:b:a/127 \
--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
--state NEW,ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p udplite --destination a:b:c::/128 -m dscp \
--dscp 33 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p udplite --destination a:b:c::/128 -m dscp \
--dscp 33 -m state --state ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p udplite --destination ::10.1.2.3/128 -m dscp \
--dscp 33 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p udplite --destination ::10.1.2.3/128 -m dscp \
--dscp 33 -m state --state ESTABLISHED -j RETURN

19
tests/nwfilterxml2firewalldata/udplite-ipv6.xml Normal file
View File

@ -0,0 +1,19 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<udplite-ipv6 srcmacaddr='1:2:3:4:5:6'
dstipaddr='a:b:c::d:e:f' dstipmask='128'
srcipaddr='f:e:d::c:b:a' srcipmask='127'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<udplite-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='a:b:c::' srcipmask='128'
dscp='33'/>
</rule>
<rule action='accept' direction='in'>
<udplite-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='::10.1.2.3' srcipmask='128'
dscp='33'/>
</rule>
</filter>

18
tests/nwfilterxml2firewalldata/udplite-linux.args Normal file
View File

@ -0,0 +1,18 @@
iptables -A FJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udplite --source 10.1.2.3/32 -m dscp --dscp 2 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \
--dscp 33 -m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \
--dscp 33 -m state --state ESTABLISHED -j RETURN
iptables -A FJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \
--dscp 33 -m state --state ESTABLISHED -j RETURN
iptables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A HJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \
--dscp 33 -m state --state ESTABLISHED -j RETURN

18
tests/nwfilterxml2firewalldata/udplite.xml Normal file
View File

@ -0,0 +1,18 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<udplite srcmacaddr='1:2:3:4:5:6'
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2'/>
</rule>
<rule action='accept' direction='in'>
<udplite srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33'/>
</rule>
<rule action='accept' direction='in'>
<udplite srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33'/>
</rule>
</filter>

14
tests/nwfilterxml2firewalldata/vlan-linux.args Normal file
View File

@ -0,0 +1,14 @@
ebtables -t nat -A libvirt-J-vnet0 -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-s aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j CONTINUE
ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j CONTINUE
ebtables -t nat -A libvirt-J-vnet0 -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-s aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 1234 -j RETURN
ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 1234 -j RETURN
ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j DROP
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-encap 2054 -j DROP
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-encap 4660 -j ACCEPT

38
tests/nwfilterxml2firewalldata/vlan.xml Normal file
View File

@ -0,0 +1,38 @@
<filter name='tck-testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='continue' direction='inout'>
<vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
vlanid='0x123'
/>
</rule>
<rule action='return' direction='inout'>
<vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
vlanid='1234'
/>
</rule>
<rule action='reject' direction='in'>
<vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
vlanid='0x123'
/>
</rule>
<rule action='drop' direction='out'>
<vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
encap-protocol='arp'
/>
</rule>
<rule action='accept' direction='out'>
<vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
encap-protocol='0x1234'
/>
</rule>
</filter>

535
tests/nwfilterxml2firewalltest.c Normal file
View File

@ -0,0 +1,535 @@
/*
* nwfilterxml2firewalltest.c: Test iptables rule generation
*
* Copyright (C) 2014 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*
*/
#include <config.h>
#if defined (__linux__)
# include "testutils.h"
# include "nwfilter/nwfilter_ebiptables_driver.h"
# include "virbuffer.h"
# define __VIR_FIREWALL_PRIV_H_ALLOW__
# include "virfirewallpriv.h"
# define __VIR_COMMAND_PRIV_H_ALLOW__
# include "vircommandpriv.h"
# define VIR_FROM_THIS VIR_FROM_NONE
static const char *abs_top_srcdir;
# ifdef __linux__
# define RULESTYPE "linux"
# else
# error "test case not ported to this platform"
# endif
typedef struct _virNWFilterInst virNWFilterInst;
typedef virNWFilterInst *virNWFilterInstPtr;
struct _virNWFilterInst {
virNWFilterDefPtr *filters;
size_t nfilters;
virNWFilterRuleInstPtr *rules;
size_t nrules;
};
/*
* Some sets of rules that will be common to all test files,
* so we don't bother including them in the test data files
* as that would just bloat them
*/
static const char *commonRules[] = {
/* Dropping ebtables rules */
"ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
"ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
"ebtables -t nat -L libvirt-J-vnet0\n"
"ebtables -t nat -L libvirt-P-vnet0\n"
"ebtables -t nat -F libvirt-J-vnet0\n"
"ebtables -t nat -X libvirt-J-vnet0\n"
"ebtables -t nat -F libvirt-P-vnet0\n"
"ebtables -t nat -X libvirt-P-vnet0\n",
/* Creating ebtables chains */
"ebtables -t nat -N libvirt-J-vnet0\n"
"ebtables -t nat -N libvirt-P-vnet0\n",
/* Dropping iptables rules */
"iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
"iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
"iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
"iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
"iptables -F FP-vnet0\n"
"iptables -X FP-vnet0\n"
"iptables -F FJ-vnet0\n"
"iptables -X FJ-vnet0\n"
"iptables -F HJ-vnet0\n"
"iptables -X HJ-vnet0\n",
/* Creating iptables chains */
"iptables -N libvirt-in\n"
"iptables -N libvirt-out\n"
"iptables -N libvirt-in-post\n"
"iptables -N libvirt-host-in\n"
"iptables -D FORWARD -j libvirt-in\n"
"iptables -D FORWARD -j libvirt-out\n"
"iptables -D FORWARD -j libvirt-in-post\n"
"iptables -D INPUT -j libvirt-host-in\n"
"iptables -I FORWARD 1 -j libvirt-in\n"
"iptables -I FORWARD 2 -j libvirt-out\n"
"iptables -I FORWARD 3 -j libvirt-in-post\n"
"iptables -I INPUT 1 -j libvirt-host-in\n"
"iptables -N FP-vnet0\n"
"iptables -N FJ-vnet0\n"
"iptables -N HJ-vnet0\n"
"iptables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
"iptables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
"iptables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
"iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"iptables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
/* Dropping ip6tables rules */
"ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
"ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
"ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
"ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
"ip6tables -F FP-vnet0\n"
"ip6tables -X FP-vnet0\n"
"ip6tables -F FJ-vnet0\n"
"ip6tables -X FJ-vnet0\n"
"ip6tables -F HJ-vnet0\n"
"ip6tables -X HJ-vnet0\n",
/* Creating ip6tables chains */
"ip6tables -N libvirt-in\n"
"ip6tables -N libvirt-out\n"
"ip6tables -N libvirt-in-post\n"
"ip6tables -N libvirt-host-in\n"
"ip6tables -D FORWARD -j libvirt-in\n"
"ip6tables -D FORWARD -j libvirt-out\n"
"ip6tables -D FORWARD -j libvirt-in-post\n"
"ip6tables -D INPUT -j libvirt-host-in\n"
"ip6tables -I FORWARD 1 -j libvirt-in\n"
"ip6tables -I FORWARD 2 -j libvirt-out\n"
"ip6tables -I FORWARD 3 -j libvirt-in-post\n"
"ip6tables -I INPUT 1 -j libvirt-host-in\n"
"ip6tables -N FP-vnet0\n"
"ip6tables -N FJ-vnet0\n"
"ip6tables -N HJ-vnet0\n"
"ip6tables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
"ip6tables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
"ip6tables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
"ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"ip6tables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
/* Inserting ebtables rules */
"ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
"ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n",
};
static virNWFilterHashTablePtr
virNWFilterCreateVarsFrom(virNWFilterHashTablePtr vars1,
virNWFilterHashTablePtr vars2)
{
virNWFilterHashTablePtr res = virNWFilterHashTableCreate(0);
if (!res)
return NULL;
if (virNWFilterHashTablePutAll(vars1, res) < 0)
goto err_exit;
if (virNWFilterHashTablePutAll(vars2, res) < 0)
goto err_exit;
return res;
err_exit:
virNWFilterHashTableFree(res);
return NULL;
}
static void
virNWFilterRuleInstFree(virNWFilterRuleInstPtr inst)
{
if (!inst)
return;
virNWFilterHashTableFree(inst->vars);
VIR_FREE(inst);
}
static void
virNWFilterInstReset(virNWFilterInstPtr inst)
{
size_t i;
for (i = 0; i < inst->nfilters; i++)
virNWFilterDefFree(inst->filters[i]);
VIR_FREE(inst->filters);
inst->nfilters = 0;
for (i = 0; i < inst->nrules; i++)
virNWFilterRuleInstFree(inst->rules[i]);
VIR_FREE(inst->rules);
inst->nrules = 0;
}
static int
virNWFilterDefToInst(const char *xml,
virNWFilterHashTablePtr vars,
virNWFilterInstPtr inst);
static int
virNWFilterRuleDefToRuleInst(virNWFilterDefPtr def,
virNWFilterRuleDefPtr rule,
virNWFilterHashTablePtr vars,
virNWFilterInstPtr inst)
{
virNWFilterRuleInstPtr ruleinst;
int ret = -1;
if (VIR_ALLOC(ruleinst) < 0)
goto cleanup;
ruleinst->chainSuffix = def->chainsuffix;
ruleinst->chainPriority = def->chainPriority;
ruleinst->def = rule;
ruleinst->priority = rule->priority;
if (!(ruleinst->vars = virNWFilterHashTableCreate(0)))
goto cleanup;
if (virNWFilterHashTablePutAll(vars, ruleinst->vars) < 0)
goto cleanup;
if (VIR_APPEND_ELEMENT(inst->rules,
inst->nrules,
ruleinst) < 0)
goto cleanup;
ruleinst = NULL;
ret = 0;
cleanup:
virNWFilterRuleInstFree(ruleinst);
return ret;
}
static int
virNWFilterIncludeDefToRuleInst(virNWFilterIncludeDefPtr inc,
virNWFilterHashTablePtr vars,
virNWFilterInstPtr inst)
{
virNWFilterHashTablePtr tmpvars = NULL;
int ret = -1;
char *xml;
if (virAsprintf(&xml, "%s/nwfilterxml2firewalldata/%s.xml",
abs_srcdir, inc->filterref) < 0)
return -1;
/* create a temporary hashmap for depth-first tree traversal */
if (!(tmpvars = virNWFilterCreateVarsFrom(inc->params,
vars)))
goto cleanup;
if (virNWFilterDefToInst(xml,
tmpvars,
inst) < 0)
goto cleanup;
ret = 0;
cleanup:
if (ret < 0)
virNWFilterInstReset(inst);
virNWFilterHashTableFree(tmpvars);
VIR_FREE(xml);
return ret;
}
static int
virNWFilterDefToInst(const char *xml,
virNWFilterHashTablePtr vars,
virNWFilterInstPtr inst)
{
size_t i;
int ret = -1;
virNWFilterDefPtr def = virNWFilterDefParseFile(xml);
if (!def)
return -1;
if (VIR_APPEND_ELEMENT_COPY(inst->filters,
inst->nfilters,
def) < 0) {
virNWFilterDefFree(def);
goto cleanup;
}
for (i = 0; i < def->nentries; i++) {
if (def->filterEntries[i]->rule) {
if (virNWFilterRuleDefToRuleInst(def,
def->filterEntries[i]->rule,
vars,
inst) < 0)
goto cleanup;
} else if (def->filterEntries[i]->include) {
if (virNWFilterIncludeDefToRuleInst(def->filterEntries[i]->include,
vars,
inst) < 0)
goto cleanup;
}
}
ret = 0;
cleanup:
if (ret < 0)
virNWFilterInstReset(inst);
return ret;
}
static void testRemoveCommonRules(char *rules)
{
size_t i;
char *offset = rules;
for (i = 0; i < ARRAY_CARDINALITY(commonRules); i++) {
char *tmp = strstr(offset, commonRules[i]);
size_t len = strlen(commonRules[i]);
if (tmp) {
memmove(tmp, tmp + len, (strlen(tmp) + 1) - len);
offset = tmp;
}
}
}
static int testSetOneParameter(virNWFilterHashTablePtr vars,
const char *name,
const char *value)
{
int ret = -1;
virNWFilterVarValuePtr val;
if ((val = virHashLookup(vars->hashTable, name)) == NULL) {
val = virNWFilterVarValueCreateSimpleCopyValue(value);
if (!val)
goto cleanup;
if (virNWFilterHashTablePut(vars, name, val) < 0) {
virNWFilterVarValueFree(val);
goto cleanup;
}
} else {
if (virNWFilterVarValueAddValueCopy(val, value) < 0)
goto cleanup;
}
ret = 0;
cleanup:
return ret;
}
static int testSetDefaultParameters(virNWFilterHashTablePtr vars)
{
if (testSetOneParameter(vars, "IPSETNAME", "tck_test") < 0 ||
testSetOneParameter(vars, "A", "1.1.1.1") ||
testSetOneParameter(vars, "A", "2.2.2.2") ||
testSetOneParameter(vars, "A", "3.3.3.3") ||
testSetOneParameter(vars, "A", "3.3.3.3") ||
testSetOneParameter(vars, "B", "80") ||
testSetOneParameter(vars, "B", "90") ||
testSetOneParameter(vars, "B", "80") ||
testSetOneParameter(vars, "B", "80") ||
testSetOneParameter(vars, "C", "1080") ||
testSetOneParameter(vars, "C", "1090") ||
testSetOneParameter(vars, "C", "1100") ||
testSetOneParameter(vars, "C", "1110"))
return -1;
return 0;
}
static int testCompareXMLToArgvFiles(const char *xml,
const char *cmdline)
{
char *expectargv = NULL;
int len;
char *actualargv = NULL;
virBuffer buf = VIR_BUFFER_INITIALIZER;
virNWFilterHashTablePtr vars = virNWFilterHashTableCreate(0);
virNWFilterInst inst;
int ret = -1;
memset(&inst, 0, sizeof(inst));
virCommandSetDryRun(&buf, NULL, NULL);
if (!vars)
goto cleanup;
if (testSetDefaultParameters(vars) < 0)
goto cleanup;
if (virNWFilterDefToInst(xml,
vars,
&inst) < 0)
goto cleanup;
if (ebiptables_driver.applyNewRules("vnet0", inst.rules, inst.nrules) < 0)
goto cleanup;
if (virBufferError(&buf))
goto cleanup;
actualargv = virBufferContentAndReset(&buf);
virtTestClearCommandPath(actualargv);
virCommandSetDryRun(NULL, NULL, NULL);
testRemoveCommonRules(actualargv);
len = virtTestLoadFile(cmdline, &expectargv);
if (len < 0)
goto cleanup;
if (STRNEQ(expectargv, actualargv)) {
virtTestDifference(stderr, expectargv, actualargv);
goto cleanup;
}
ret = 0;
cleanup:
virBufferFreeAndReset(&buf);
VIR_FREE(expectargv);
VIR_FREE(actualargv);
virNWFilterInstReset(&inst);
virNWFilterHashTableFree(vars);
return ret;
}
struct testInfo {
const char *name;
};
static int
testCompareXMLToIPTablesHelper(const void *data)
{
int result = -1;
const struct testInfo *info = data;
char *xml = NULL;
char *args = NULL;
if (virAsprintf(&xml, "%s/nwfilterxml2firewalldata/%s.xml",
abs_srcdir, info->name) < 0 ||
virAsprintf(&args, "%s/nwfilterxml2firewalldata/%s-%s.args",
abs_srcdir, info->name, RULESTYPE) < 0)
goto cleanup;
result = testCompareXMLToArgvFiles(xml, args);
cleanup:
VIR_FREE(xml);
VIR_FREE(args);
return result;
}
static int
mymain(void)
{
int ret = 0;
abs_top_srcdir = getenv("abs_top_srcdir");
if (!abs_top_srcdir)
abs_top_srcdir = abs_srcdir "/..";
# define DO_TEST(name) \
do { \
static struct testInfo info = { \
name, \
}; \
if (virtTestRun("NWFilter XML-2-firewall " name, \
testCompareXMLToIPTablesHelper, &info) < 0) \
ret = -1; \
} while (0)
if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
ret = -1;
goto cleanup;
}
DO_TEST("ah");
DO_TEST("ah-ipv6");
DO_TEST("all");
DO_TEST("all-ipv6");
DO_TEST("arp");
DO_TEST("comment");
DO_TEST("conntrack");
DO_TEST("esp");
DO_TEST("esp-ipv6");
DO_TEST("example-1");
DO_TEST("example-2");
DO_TEST("hex-data");
DO_TEST("icmp-direction2");
DO_TEST("icmp-direction3");
DO_TEST("icmp-direction");
DO_TEST("icmp");
DO_TEST("icmpv6");
DO_TEST("igmp");
DO_TEST("ip");
DO_TEST("ipset");
DO_TEST("ipt-no-macspoof");
DO_TEST("ipv6");
DO_TEST("iter1");
DO_TEST("iter2");
DO_TEST("iter3");
DO_TEST("mac");
DO_TEST("rarp");
DO_TEST("sctp");
DO_TEST("sctp-ipv6");
DO_TEST("stp");
DO_TEST("target2");
DO_TEST("target");
DO_TEST("tcp");
DO_TEST("tcp-ipv6");
DO_TEST("udp");
DO_TEST("udp-ipv6");
DO_TEST("udplite");
DO_TEST("udplite-ipv6");
DO_TEST("vlan");
cleanup:
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
VIRT_TEST_MAIN(mymain)
#else /* ! defined (__linux__) */
int main(void)
{
return EXIT_AM_SKIP;
}
#endif /* ! defined (__linux__) */