[libvirt] [PATCH] [TCK] nwfilter:Follow changes to clean-traffic filter

Stefan Berger stefanb at linux.vnet.ibm.com
Fri Dec 2 01:38:42 UTC 2011

Follow the changes to the clean-traffic filter to pass the nwfilter tests.

 scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat |   33 +++++++----------
 1 file changed, 15 insertions(+), 18 deletions(-)

Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat
@@ -3,34 +3,31 @@
 #ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$"
 -o vnet0 -j libvirt-O-vnet0
 #ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$"
--p IPv4 -j I-vnet0-ipv4
--p ARP -j I-vnet0-arp
+-j I-vnet0-mac
+-p IPv4 -j I-vnet0-ipv4-ip
+-p IPv4 -j ACCEPT 
+-p ARP -j I-vnet0-arp-mac
+-p ARP -j I-vnet0-arp-ip
+-p ARP -j ACCEPT 
 -p 0x8035 -j I-vnet0-rarp
 -p 0x835 -j ACCEPT 
 -j DROP 
 #ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
 -p IPv4 -j O-vnet0-ipv4
--p ARP -j O-vnet0-arp
+-p ARP -j ACCEPT 
 -p 0x8035 -j O-vnet0-rarp
 -j DROP 
-#ebtables -t nat -L I-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$"
--s ! 52:54:0:9f:33:da -j DROP 
--p IPv4 --ip-src ! -j DROP 
+#ebtables -t nat -L I-vnet0-ipv4-ip | grep -v "^Bridge" | grep -v "^$"
+-p IPv4 --ip-src --ip-proto udp --ip-sport 68 -j ACCEPT 
+-p IPv4 --ip-src -j RETURN 
+-j DROP 
 #ebtables -t nat -L O-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$"
-#ebtables -t nat -L I-vnet0-arp | grep -v "^Bridge" | grep -v "^$"
--s ! 52:54:0:9f:33:da -j DROP 
--p ARP --arp-mac-src ! 52:54:0:9f:33:da -j DROP 
--p ARP --arp-ip-src ! -j DROP 
--p ARP --arp-op Request -j ACCEPT 
--p ARP --arp-op Reply -j ACCEPT 
+#ebtables -t nat -L I-vnet0-arp-mac | grep -v "^Bridge" | grep -v "^$"
+-p ARP --arp-mac-src 52:54:0:9f:33:da -j RETURN 
 -j DROP 
-#ebtables -t nat -L O-vnet0-arp | grep -v "^Bridge" | grep -v "^$"
--p ARP --arp-gratuitous -j ACCEPT 
--p ARP --arp-op Reply --arp-mac-dst ! 52:54:0:9f:33:da -j DROP 
--p ARP --arp-ip-dst ! -j DROP 
--p ARP --arp-op Request -j ACCEPT 
--p ARP --arp-op Reply -j ACCEPT 
+#ebtables -t nat -L I-vnet0-arp-ip | grep -v "^Bridge" | grep -v "^$"
+-p ARP --arp-ip-src -j RETURN 
 -j DROP 
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)

More information about the libvir-list mailing list