[libvirt] [PATCH v2] nwfilters: Test suite for checking created firewall entries

Stefan Berger stefanb at us.ibm.com
Wed Apr 7 21:41:01 UTC 2010


Changes from v1 to v2:
- followed suggestions from Eric Blake on script improvements

This patch adds new test cases to the existing nwfilter test program and
adds a test script that must be run while a VM is running. This test
script verifies that input network filter XML creates expected
user-defined tables and rules on ebtables, iptables & ip6tables layer
and verifies their content against expected content. The idea is that
these tools always return exactly the same output when displaying the
content of a user-defined table so that the diff tool can be used for
simple text comparison. All supported protocols have at least one test
case. 
This test program is not run automatically since it requires a running
VM.

For all tests to pass the previously posted ICMP fix patch must be applied.

Signed-off-by: Stefan Berger <stefanb at us.ibm.com>

---
 tests/nwfiltervmtest.sh                               |  186 ++++++++++++++++++
 tests/nwfilterxml2fwallout/ah-ipv6-test.fwall         |   19 +
 tests/nwfilterxml2fwallout/ah-test.fwall              |   19 +
 tests/nwfilterxml2fwallout/all-ipv6-test.fwall        |   19 +
 tests/nwfilterxml2fwallout/all-test.fwall             |   19 +
 tests/nwfilterxml2fwallout/arp-test.fwall             |    9 
 tests/nwfilterxml2fwallout/esp-ipv6-test.fwall        |   19 +
 tests/nwfilterxml2fwallout/esp-test.fwall             |   19 +
 tests/nwfilterxml2fwallout/icmp-direction-test.fwall  |   16 +
 tests/nwfilterxml2fwallout/icmp-direction2-test.fwall |   16 +
 tests/nwfilterxml2fwallout/icmp-direction3-test.fwall |   16 +
 tests/nwfilterxml2fwallout/icmp-test.fwall            |   16 +
 tests/nwfilterxml2fwallout/icmpv6-test.fwall          |   16 +
 tests/nwfilterxml2fwallout/igmp-test.fwall            |   19 +
 tests/nwfilterxml2fwallout/ip-test.fwall              |   12 +
 tests/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall |   12 +
 tests/nwfilterxml2fwallout/ipv6-test.fwall            |   14 +
 tests/nwfilterxml2fwallout/mac-test.fwall             |   12 +
 tests/nwfilterxml2fwallout/sctp-ipv6-test.fwall       |   19 +
 tests/nwfilterxml2fwallout/sctp-ipv6-test.xml         |   19 +
 tests/nwfilterxml2fwallout/sctp-test.fwall            |   19 +
 tests/nwfilterxml2fwallout/tcp-ipv6-test.fwall        |   19 +
 tests/nwfilterxml2fwallout/tcp-test.fwall             |   19 +
 tests/nwfilterxml2fwallout/udp-ipv6-test.fwall        |   19 +
 tests/nwfilterxml2fwallout/udp-ipv6-test.xml          |   19 +
 tests/nwfilterxml2fwallout/udp-test.fwall             |   19 +
 tests/nwfilterxml2fwallout/udplite-ipv6-test.fwall    |   19 +
 tests/nwfilterxml2fwallout/udplite-test.fwall         |   19 +
 tests/nwfilterxml2xmlin/icmp-direction-test.xml       |   15 +
 tests/nwfilterxml2xmlin/icmp-direction2-test.xml      |   15 +
 tests/nwfilterxml2xmlin/icmp-direction3-test.xml      |   10 
 tests/nwfilterxml2xmlin/ipt-no-macspoof-test.xml      |   14 +
 tests/nwfilterxml2xmlout/icmp-direction-test.xml      |   12 +
 tests/nwfilterxml2xmlout/icmp-direction2-test.xml     |   12 +
 tests/nwfilterxml2xmlout/icmp-direction3-test.xml     |    9 
 tests/nwfilterxml2xmlout/ipt-no-macspoof-test.xml     |    9 
 tests/nwfilterxml2xmltest.c                           |    4 
 37 files changed, 748 insertions(+)

Index: libvirt-acl/tests/nwfiltervmtest.sh
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfiltervmtest.sh
@@ -0,0 +1,191 @@
+#!/bin/bash
+
+VIRSH=virsh
+ORIG_IFNAME="vnet0"
+
+TMPFILE1="/tmp/nwfiltervmtest1.txt"
+TMPFILE2="/tmp/nwfiltervmtest2.txt"
+
+function usage() {
+  local cmd="$0"
+  echo "Usage: ${cmd} [--help|-h|-?] [--ifname|-i <interfacename>"
+  cat <<EOF
+
+Options:
+ --help,-h,-? : Display this help screen.
+ --ifname, -i : Name of the backend interface of the VM. Default 'vnet0'
+
+Run this program while a KVM VM is running (preferably as only VM on the
+system) and one of its interfaces uses a filter called 'testcase'. The name
+of the interface of the VM is anticipated to be 'vnet0' unless set by the
+'--ifname' option. The following interface description fulfills this
+requirement:
+
+    <interface type='bridge'>
+      <source bridge='virbr0'/>
+      <target dev='vnet0'/>
+      <filterref filter='testcase'/>
+    </interface>
+
+The individual tests are validated using string comparison where the output
+of ebtables, iptables and ip6tables is compared against expected output. As
+long as the output of those tools is the same, the tests should all pass.
+The tests were developed on Fedore Core 12.
+
+Known problems: None of the running VMs' names may have spaces.
+EOF
+}
+
+
+function doTest() {
+  local xmlfile="$1"
+  local fwallfile="$2"
+  local ifname="$3"
+  local cmd line tmpfile tmpfile2
+  local linenums ctr=0
+  local regex="s/${ORIG_IFNAME}/${ifname}/g"
+
+  if [ ! -r "${xmlfile}" ]; then
+    echo "FAIL : Cannot access filter XML file ${xmlfile}."
+    return 1    
+  fi
+
+  tmpfile="${TMPFILE1}"
+  tmpfile2="${TMPFILE2}"
+
+  ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null
+
+  exec 4<&0
+
+  exec < ${fwallfile}
+
+  read line
+  while [ "x${line}x" != "xx" ]; do
+    cmd=`echo ${line##\#} | sed ${regex}`
+
+    exec ${cmd} | grep -v "^Bridge" | grep -v "^$" > ${tmpfile}
+
+    rm ${tmpfile2} 2>/dev/null
+    touch ${tmpfile2}
+
+    while [ 1 ]; do
+      read
+
+      line="${REPLY}"
+
+      if [ "${line:0:1}" == "#" ] || [ "x${line}x" == "xx"  ]; then
+
+        diff ${tmpfile} ${tmpfile2} >/dev/null
+
+        if [ $? -ne 0 ]; then
+          echo "FAIL ${xmlfile} : ${cmd}"
+          diff ${tmpfile} ${tmpfile2}
+        else
+          echo "PASS ${xmlfile} : ${cmd}"
+        fi
+
+        break;
+
+      fi
+      echo "${line}" | sed ${regex} >> ${tmpfile2}
+    done
+  done
+
+  exec 0<&4
+  exec 4<&-
+
+  rm -rf "${tmpfile}" "${tmpfile2}" 2>/dev/null
+}
+
+
+function runTests() {
+  local ifname="$1"
+  local xmldir="$2"
+  local fwalldir="$3"
+  local fwallfiles f
+
+  pushd ${PWD} > /dev/null
+  cd ${fwalldir}
+  fwallfiles=`ls *.fwall`
+  popd > /dev/null
+
+  for fil in ${fwallfiles}; do
+    f=${fil%%.fwall}
+    doTest "${xmldir}/${f}.xml" "${fwalldir}/${fil}" "${ifname}"
+  done
+}
+
+
+function checkVM() {
+  local vmname="$1"
+  local ifname="$2"
+  local nwfilter="$3"
+  local f i c
+
+  c=`${VIRSH} dumpxml ${vmname} | grep -c "<interface"`
+  if [ ${c} -ne 1 ]; then
+    echo "VM '${vmname}' has multiple interfaces. I cannot tell for sure "
+    echo "whether this VM has the correct interface name '${ifname}' and "
+    echo "reference the filter '${nwfilter}'. Cowardly skipping this VM..."
+    return 1
+  fi
+
+  f=`{ ${VIRSH} dumpxml ${vmname} | tr -d "\n"; echo; } | \
+     sed "s/.*filterref filter='\([a-zA-Z0-9_]\+\)'.*/\1/"`
+  i=`{ ${VIRSH} dumpxml ${vmname} | tr -d "\n"; echo; } | \
+     sed "s/.*\<interface.*target dev='\([a-zA-Z0-9_]\+\)'.*<\/interface>.*/\1/"`
+
+  if [ "x${i}x" == "x${ifname}x" ] && [ "x${f}x" == "x${nwfilter}x" ]; then
+    return 0
+  fi
+
+  return 1
+}
+
+
+function main() {
+  local prgname="$0"
+  local ifname="${ORIG_IFNAME}"
+  local xmldir="nwfilterxml2xmlin"
+  local fwalldir="nwfilterxml2fwallout"
+  local found=0 vms
+  local filtername="testcase"
+
+  while [ $# -ne 0 ]; do
+    case "$1" in
+    --help|-h|-\?) usage ${prgname}; exit 0;;
+    --ifname|-i) shift 1; ifname="$1";;
+    *) usage ${prgname}; exit 1;;
+    esac
+    shift 1
+  done
+
+  if [ `uname` != "Linux" ]; then
+      echo "This script will only run on Linux."
+      exit 1;
+  fi
+
+  vms=`${VIRSH} list | grep running | gawk '{print $2}'`
+  if [ "x${vms}x" == "xx" ]; then
+    echo "Error: Need a running VM."
+    exit 1;
+  fi
+
+  for vm in ${vms}; do
+    checkVM "${vm}" "${ifname}" "${filtername}"
+    if [ $? -eq 0 ]; then
+      found=1;
+      break;
+    fi
+  done
+
+  if [ ${found} -eq 0 ]; then
+    echo "Error: Suitable VM seems not to be running. Check the help screen";
+    echo "to (--help) to read about requirements to the running VM.";
+    exit 1;
+  fi
+
+  runTests "${ifname}" "${xmldir}" "${fwalldir}"
+}
+
+main "$@"
Index: libvirt-acl/tests/nwfilterxml2fwallout/arp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/arp-test.fwall
@@ -0,0 +1,9 @@
+#ebtables -t nat -L libvirt-I-vnet0
+-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 12 --arp-ptype 0x22 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT 
+-p ARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT 
+-p ARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT 
+-p ARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT 
+-p ARP -s 1:2:3:4:5:6 -j ACCEPT 
+#ebtables -t nat -L PREROUTING
+-i vnet0 -j libvirt-I-vnet0
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/mac-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/mac-test.fwall
@@ -0,0 +1,12 @@
+#ebtables -t nat -L PREROUTING
+-i vnet0 -j libvirt-I-vnet0
+#ebtables -t nat -L POSTROUTING
+-o vnet0 -j libvirt-O-vnet0
+#ebtables -t nat -L libvirt-I-vnet0
+-p ARP -s 1:2:3:4:5:6 -j ACCEPT 
+#ebtables -t nat -L libvirt-O-vnet0
+-p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT 
+-p 0x600 -d aa:bb:cc:dd:ee:ff -j ACCEPT 
+-d aa:bb:cc:dd:ee:ff -j ACCEPT 
+-p 0xffff -d aa:bb:cc:dd:ee:ff -j ACCEPT 
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/ip-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/ip-test.fwall
@@ -0,0 +1,12 @@
+#ebtables -t nat -L PREROUTING
+-i vnet0 -j libvirt-I-vnet0
+#ebtables -t nat -L POSTROUTING
+-o vnet0 -j libvirt-O-vnet0
+#ebtables -t nat -L libvirt-I-vnet0
+-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-proto udp --ip-sport 20:22 --ip-dport 100:101 -j ACCEPT 
+-p IPv4 --ip-src 10.1.0.0/17 --ip-dst 10.1.2.0/24 --ip-tos 0x3F --ip-proto udp -j ACCEPT 
+-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.3 -j ACCEPT 
+#ebtables -t nat -L libvirt-O-vnet0
+-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.0/25 --ip-proto 255 -j ACCEPT 
+-p IPv4 --ip-src 10.1.2.3 --ip-dst 10.1.2.2/31 -j ACCEPT 
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/ipv6-test.fwall
@@ -0,0 +1,14 @@
+#ebtables -t nat -L PREROUTING
+-i vnet0 -j libvirt-I-vnet0
+#ebtables -t nat -L POSTROUTING
+-o vnet0 -j libvirt-O-vnet0
+#ebtables -t nat -L libvirt-I-vnet0
+-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto udp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT 
+-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 100:101 --ip6-dport 20:22 -j ACCEPT 
+-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 65535 --ip6-dport 255:256 -j ACCEPT 
+-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto mux -j ACCEPT 
+#ebtables -t nat -L libvirt-O-vnet0
+-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT 
+-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 255:256 --ip6-dport 65535 -j ACCEPT 
+-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto mux -j ACCEPT 
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/sctp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/sctp-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x21sctp spts:100:1111 dpts:20:21 
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fsctp spt:65535 dpts:255:256 
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
+ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 
+ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     sctp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x21sctp spts:100:1111 dpts:20:21 
+ACCEPT     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fsctp spt:65535 dpts:255:256 
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/tcp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/tcp-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     tcp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21tcp spts:100:1111 dpts:20:21 
+RETURN     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3ftcp spt:65535 dpts:255:256 
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     tcp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
+ACCEPT     tcp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 
+ACCEPT     tcp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     tcp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21tcp spts:100:1111 dpts:20:21 
+ACCEPT     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3ftcp spt:65535 dpts:255:256 
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/udp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/udp-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21udp spts:100:1111 dpts:20:21 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fudp spt:65535 dpts:255:256 
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21udp spts:100:1111 dpts:20:21 
+ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fudp spt:65535 dpts:255:256 
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/tcp-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/tcp-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     tcp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     tcp      ::/0                 a:b:c::/128         DSCP match 0x21tcp spts:100:1111 dpts:20:21 
+RETURN     tcp      ::/0                 ::10.1.2.3/128      DSCP match 0x3ftcp spt:65535 dpts:255:256 
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     tcp      a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED 
+ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 
+ACCEPT     tcp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     tcp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     tcp      ::/0                 a:b:c::/128         DSCP match 0x21tcp spts:100:1111 dpts:20:21 
+ACCEPT     tcp      ::/0                 ::10.1.2.3/128      DSCP match 0x3ftcp spt:65535 dpts:255:256 
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/all-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/all-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     all  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     all  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
+ACCEPT     all  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21
+ACCEPT     all  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     all  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+ACCEPT     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-test.fwall
@@ -0,0 +1,16 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     icmp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED 
+RETURN     icmp --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     icmp --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21icmp type 255 code 255 
+ACCEPT     icmp --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     icmp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 
+ACCEPT     icmp --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/igmp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/igmp-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     2    --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     2    --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
+ACCEPT     2    --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21
+ACCEPT     2    --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     2    --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+ACCEPT     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/icmpv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/icmpv6-test.fwall
@@ -0,0 +1,16 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     icmpv6    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED 
+RETURN     icmpv6    ::/0                 ::10.1.2.3/128      DSCP match 0x21
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     icmpv6    a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21ipv6-icmp type 255 code 255 
+ACCEPT     icmpv6    ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     icmpv6    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 
+ACCEPT     icmpv6    ::/0                 ::10.1.2.3/128      DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.xml
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     udp      ::/0                 ::/0                DSCP match 0x21udp spts:100:1111 dpts:20:21 
+RETURN     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535 dpts:255:256 
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     udp      a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED 
+ACCEPT     udp      ::/0                 ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 
+ACCEPT     udp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     udp      ::/0                 ::/0                DSCP match 0x21udp spts:100:1111 dpts:20:21 
+ACCEPT     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535 dpts:255:256 
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.xml
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     sctp     ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     sctp     ::/0                 a:b:c::/128         DSCP match 0x21sctp spts:100:1111 dpts:20:21 
+RETURN     sctp     ::/0                 ::10.1.2.3/128      DSCP match 0x3fsctp spt:65535 dpts:255:256 
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     sctp     a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED 
+ACCEPT     sctp     a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 
+ACCEPT     sctp     ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     sctp     ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     sctp     ::/0                 a:b:c::/128         DSCP match 0x21sctp spts:100:1111 dpts:20:21 
+ACCEPT     sctp     ::/0                 ::10.1.2.3/128      DSCP match 0x3fsctp spt:65535 dpts:255:256 
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/ah-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/ah-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     ah       f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     ah       ::/0                 a:b:c::/128         DSCP match 0x21
+RETURN     ah       ::/0                 ::10.1.2.3/128      DSCP match 0x21
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     ah       a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED 
+ACCEPT     ah       a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21
+ACCEPT     ah       ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     ah       f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     ah       ::/0                 a:b:c::/128         DSCP match 0x21
+ACCEPT     ah       ::/0                 ::10.1.2.3/128      DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/ah-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/ah-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     ah   --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     ah   --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
+ACCEPT     ah   --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21
+ACCEPT     ah   --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     ah   --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+ACCEPT     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/all-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/all-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     all      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     all      ::/0                 a:b:c::/128         DSCP match 0x21
+RETURN     all      ::/0                 ::10.1.2.3/128      DSCP match 0x21
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     all      a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED 
+ACCEPT     all      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21
+ACCEPT     all      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     all      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     all      ::/0                 a:b:c::/128         DSCP match 0x21
+ACCEPT     all      ::/0                 ::10.1.2.3/128      DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/esp-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/esp-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     esp      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     esp      ::/0                 a:b:c::/128         DSCP match 0x21
+RETURN     esp      ::/0                 ::10.1.2.3/128      DSCP match 0x21
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     esp      a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED 
+ACCEPT     esp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21
+ACCEPT     esp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     esp      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     esp      ::/0                 a:b:c::/128         DSCP match 0x21
+ACCEPT     esp      ::/0                 ::10.1.2.3/128      DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/esp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/esp-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     esp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     esp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
+ACCEPT     esp  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21
+ACCEPT     esp  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     esp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+ACCEPT     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     sctp     ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     sctp     ::/0                 a:b:c::/128         DSCP match 0x21sctp spts:100:1111 dpts:20:21 
+RETURN     sctp     ::/0                 ::10.1.2.3/128      DSCP match 0x3fsctp spt:65535 dpts:255:256 
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     sctp     a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED 
+ACCEPT     sctp     a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 
+ACCEPT     sctp     ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     sctp     ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     sctp     ::/0                 a:b:c::/128         DSCP match 0x21sctp spts:100:1111 dpts:20:21 
+ACCEPT     sctp     ::/0                 ::10.1.2.3/128      DSCP match 0x3fsctp spt:65535 dpts:255:256 
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     udp      ::/0                 ::/0                DSCP match 0x21udp spts:100:1111 dpts:20:21 
+RETURN     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535 dpts:255:256 
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     udp      a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED 
+ACCEPT     udp      ::/0                 ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 
+ACCEPT     udp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     udp      ::/0                 ::/0                DSCP match 0x21udp spts:100:1111 dpts:20:21 
+ACCEPT     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535 dpts:255:256 
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/udplite-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/udplite-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     udplite    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     udplite    ::/0                 a:b:c::/128         DSCP match 0x21
+RETURN     udplite    ::/0                 ::10.1.2.3/128      DSCP match 0x21
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     udplite    a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED 
+ACCEPT     udplite    a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21
+ACCEPT     udplite    ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     udplite    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     udplite    ::/0                 a:b:c::/128         DSCP match 0x21
+ACCEPT     udplite    ::/0                 ::10.1.2.3/128      DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/udplite-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/udplite-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     udplite--  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     udplite--  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
+ACCEPT     udplite--  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21
+ACCEPT     udplite--  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     udplite--  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
+ACCEPT     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+ACCEPT     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2xmlin/ipt-no-macspoof-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/ipt-no-macspoof-test.xml
@@ -0,0 +1,14 @@
+<filter name='testcase'>
+  <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+  <rule action='drop' direction='inout'>
+     <!-- should use $MAC for MAC address, but tests would depend on VM's
+          MAC address -->
+     <all match='no' srcmacaddr='12:34:56:78:9a:bc'/>
+  </rule>
+
+  <rule action='drop' direction='in'>
+     <!-- not accepting incoming traffic from a certain MAC address -->
+     <all match='no' srcmacaddr='aa:aa:aa:aa:aa:aa'/>
+  </rule>
+
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmltest.c
===================================================================
--- libvirt-acl.orig/tests/nwfilterxml2xmltest.c
+++ libvirt-acl/tests/nwfilterxml2xmltest.c
@@ -114,6 +114,10 @@ mymain(int argc, char **argv)
 
     DO_TEST("ref-test");
     DO_TEST("ref-rule-test");
+    DO_TEST("ipt-no-macspoof-test");
+    DO_TEST("icmp-direction-test");
+    DO_TEST("icmp-direction2-test");
+    DO_TEST("icmp-direction3-test");
 
     return (ret==0 ? EXIT_SUCCESS : EXIT_FAILURE);
 }
Index: libvirt-acl/tests/nwfilterxml2xmlout/ipt-no-macspoof-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/ipt-no-macspoof-test.xml
@@ -0,0 +1,9 @@
+<filter name='testcase' chain='root'>
+  <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+  <rule action='drop' direction='inout' priority='500'>
+    <all match='no' srcmacaddr='12:34:56:78:9a:bc'/>
+  </rule>
+  <rule action='drop' direction='in' priority='500'>
+    <all match='no' srcmacaddr='aa:aa:aa:aa:aa:aa'/>
+  </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall
@@ -0,0 +1,12 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+DROP       all  --  0.0.0.0/0            0.0.0.0/0           MAC ! 12:34:56:78:9A:BC 
+DROP       all  --  0.0.0.0/0            0.0.0.0/0           MAC ! AA:AA:AA:AA:AA:AA 
+#iptables -L HI-vnet0
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+
Index: libvirt-acl/tests/nwfilterxml2xmlin/icmp-direction-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/icmp-direction-test.xml
@@ -0,0 +1,15 @@
+<filter name='testcase'>
+    <uuid>f4b3f745-d23d-2ee6-218a-d5671611229b</uuid>
+    <!-- allow incoming ICMP Echo Reply -->
+    <rule action='accept' direction='in' priority='500'>
+        <icmp type='0'/>
+    </rule>
+    <!-- allow outgoing ICMP Echo Request -->
+    <rule action='accept' direction='out' priority='500'>
+        <icmp type='8'/>
+    </rule>
+    <!-- drop all other ICMP traffic -->
+    <rule action='drop' direction='inout' priority='600'>
+        <icmp/>
+    </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlout/icmp-direction-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/icmp-direction-test.xml
@@ -0,0 +1,12 @@
+<filter name='testcase' chain='root'>
+  <uuid>f4b3f745-d23d-2ee6-218a-d5671611229b</uuid>
+  <rule action='accept' direction='in' priority='500'>
+    <icmp type='0'/>
+  </rule>
+  <rule action='accept' direction='out' priority='500'>
+    <icmp type='8'/>
+  </rule>
+  <rule action='drop' direction='inout' priority='600'>
+    <icmp/>
+  </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction-test.fwall
@@ -0,0 +1,16 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 state NEW,ESTABLISHED 
+DROP       icmp --  0.0.0.0/0            0.0.0.0/0           
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0 
+DROP       icmp --  0.0.0.0/0            0.0.0.0/0           
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
+DROP       icmp --  0.0.0.0/0            0.0.0.0/0           
+
Index: libvirt-acl/tests/nwfilterxml2xmlin/icmp-direction2-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/icmp-direction2-test.xml
@@ -0,0 +1,15 @@
+<filter name='testcase'>
+    <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
+    <!-- allow incoming ICMP Echo Request -->
+    <rule action='accept' direction='in' priority='500'>
+        <icmp type='8'/>
+    </rule>
+    <!-- allow outgoing ICMP Echo Reply -->
+    <rule action='accept' direction='out' priority='500'>
+        <icmp type='0'/>
+    </rule>
+    <!-- drop all other ICMP traffic -->
+    <rule action='drop' direction='inout' priority='600'>
+        <icmp/>
+    </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlout/icmp-direction2-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/icmp-direction2-test.xml
@@ -0,0 +1,12 @@
+<filter name='testcase' chain='root'>
+  <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
+  <rule action='accept' direction='in' priority='500'>
+    <icmp type='8'/>
+  </rule>
+  <rule action='accept' direction='out' priority='500'>
+    <icmp type='0'/>
+  </rule>
+  <rule action='drop' direction='inout' priority='600'>
+    <icmp/>
+  </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction2-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction2-test.fwall
@@ -0,0 +1,16 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0 state NEW,ESTABLISHED 
+DROP       icmp --  0.0.0.0/0            0.0.0.0/0           
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
+DROP       icmp --  0.0.0.0/0            0.0.0.0/0           
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0 
+DROP       icmp --  0.0.0.0/0            0.0.0.0/0           
+
Index: libvirt-acl/tests/nwfilterxml2xmlin/icmp-direction3-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/icmp-direction3-test.xml
@@ -0,0 +1,10 @@
+<filter name='testcase'>
+    <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
+    <rule action='accept' direction='out' priority='500'>
+        <icmp/>
+    </rule>
+    <!-- drop all other traffic -->
+    <rule action='drop' direction='inout' priority='600'>
+        <all/>
+    </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlout/icmp-direction3-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/icmp-direction3-test.xml
@@ -0,0 +1,9 @@
+<filter name='testcase' chain='root'>
+  <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
+  <rule action='accept' direction='out' priority='500'>
+    <icmp/>
+  </rule>
+  <rule action='drop' direction='inout' priority='600'>
+    <all/>
+  </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction3-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction3-test.fwall
@@ -0,0 +1,16 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED 
+DROP       all  --  0.0.0.0/0            0.0.0.0/0           
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
+DROP       all  --  0.0.0.0/0            0.0.0.0/0           
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
+DROP       all  --  0.0.0.0/0            0.0.0.0/0           
+
Index: libvirt-acl/tests/Makefile.am
===================================================================
--- libvirt-acl.orig/tests/Makefile.am
+++ libvirt-acl/tests/Makefile.am
@@ -74,7 +74,9 @@ EXTRA_DIST =		\
 	xml2vmxdata \
 	nwfilterxml2xmlout \
 	nwfilterxml2xmlin \
+	nwfilterxml2fwallout \
 	nwfilterschematest \
+	nwfiltervmtest.sh \
 	$(patsubst %,qemuhelpdata/%,$(qemuhelpdata))
 
 noinst_PROGRAMS = virshtest conftest \





More information about the libvir-list mailing list