[libvirt] [PATCH 26/26] Add a test suite for nwfilter ebiptables tech driver
Daniel P. Berrange
berrange at redhat.com
Tue Apr 8 15:38:18 UTC 2014
Create a nwfilterxml2firewalltest to exercise the
ebiptables_driver.applyNewRules method with a variety of
different XML input files. The XML input files are taken
from the libvirt-tck nwfilter tests. While the nwfilter
tests verify the final state of the iptables chains, this
test verifies the set of commands invoked to create the
chains.
Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
---
src/conf/nwfilter_params.c | 15 +
src/conf/nwfilter_params.h | 1 +
src/libvirt_private.syms | 2 +
tests/Makefile.am | 7 +
tests/nwfilterxml2firewalldata/ah-ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/ah-ipv6.xml | 19 +
tests/nwfilterxml2firewalldata/ah-linux.args | 18 +
tests/nwfilterxml2firewalldata/ah.xml | 18 +
tests/nwfilterxml2firewalldata/all-ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/all-ipv6.xml | 19 +
tests/nwfilterxml2firewalldata/all-linux.args | 18 +
tests/nwfilterxml2firewalldata/all.xml | 18 +
tests/nwfilterxml2firewalldata/arp-linux.args | 11 +
tests/nwfilterxml2firewalldata/arp.xml | 32 ++
tests/nwfilterxml2firewalldata/comment-linux.args | 49 ++
tests/nwfilterxml2firewalldata/comment.xml | 71 +++
.../nwfilterxml2firewalldata/conntrack-linux.args | 7 +
tests/nwfilterxml2firewalldata/conntrack.xml | 12 +
tests/nwfilterxml2firewalldata/esp-ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/esp-ipv6.xml | 19 +
tests/nwfilterxml2firewalldata/esp-linux.args | 18 +
tests/nwfilterxml2firewalldata/esp.xml | 18 +
.../nwfilterxml2firewalldata/example-1-linux.args | 13 +
tests/nwfilterxml2firewalldata/example-1.xml | 24 +
.../nwfilterxml2firewalldata/example-2-linux.args | 20 +
tests/nwfilterxml2firewalldata/example-2.xml | 37 ++
tests/nwfilterxml2firewalldata/hex-data-linux.args | 28 ++
tests/nwfilterxml2firewalldata/hex-data.xml | 56 +++
.../icmp-direction-linux.args | 9 +
tests/nwfilterxml2firewalldata/icmp-direction.xml | 15 +
.../icmp-direction2-linux.args | 9 +
tests/nwfilterxml2firewalldata/icmp-direction2.xml | 15 +
.../icmp-direction3-linux.args | 6 +
tests/nwfilterxml2firewalldata/icmp-direction3.xml | 10 +
tests/nwfilterxml2firewalldata/icmp-linux.args | 9 +
tests/nwfilterxml2firewalldata/icmp.xml | 13 +
tests/nwfilterxml2firewalldata/icmpv6-linux.args | 12 +
tests/nwfilterxml2firewalldata/icmpv6.xml | 19 +
tests/nwfilterxml2firewalldata/igmp-linux.args | 18 +
tests/nwfilterxml2firewalldata/igmp.xml | 18 +
tests/nwfilterxml2firewalldata/ip-linux.args | 8 +
tests/nwfilterxml2firewalldata/ip.xml | 28 ++
tests/nwfilterxml2firewalldata/ipset-linux.args | 36 ++
tests/nwfilterxml2firewalldata/ipset.xml | 25 +
.../ipt-no-macspoof-linux.args | 2 +
tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml | 14 +
tests/nwfilterxml2firewalldata/ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/ipv6.xml | 43 ++
tests/nwfilterxml2firewalldata/iter1-linux.args | 18 +
tests/nwfilterxml2firewalldata/iter1.xml | 6 +
tests/nwfilterxml2firewalldata/iter2-linux.args | 342 +++++++++++++
tests/nwfilterxml2firewalldata/iter2.xml | 23 +
tests/nwfilterxml2firewalldata/iter3-linux.args | 30 ++
tests/nwfilterxml2firewalldata/iter3.xml | 13 +
tests/nwfilterxml2firewalldata/mac-linux.args | 8 +
tests/nwfilterxml2firewalldata/mac.xml | 19 +
tests/nwfilterxml2firewalldata/rarp-linux.args | 12 +
tests/nwfilterxml2firewalldata/rarp.xml | 28 ++
tests/nwfilterxml2firewalldata/ref-rule.xml | 18 +
tests/nwfilterxml2firewalldata/ref.xml | 4 +
.../nwfilterxml2firewalldata/sctp-ipv6-linux.args | 22 +
tests/nwfilterxml2firewalldata/sctp-ipv6.xml | 22 +
tests/nwfilterxml2firewalldata/sctp-linux.args | 20 +
tests/nwfilterxml2firewalldata/sctp.xml | 22 +
tests/nwfilterxml2firewalldata/stp-linux.args | 18 +
tests/nwfilterxml2firewalldata/stp.xml | 26 +
tests/nwfilterxml2firewalldata/target-linux.args | 75 +++
tests/nwfilterxml2firewalldata/target.xml | 66 +++
tests/nwfilterxml2firewalldata/target2-linux.args | 13 +
tests/nwfilterxml2firewalldata/target2.xml | 18 +
tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args | 22 +
tests/nwfilterxml2firewalldata/tcp-ipv6.xml | 22 +
tests/nwfilterxml2firewalldata/tcp-linux.args | 22 +
tests/nwfilterxml2firewalldata/tcp.xml | 34 ++
tests/nwfilterxml2firewalldata/udp-ipv6-linux.args | 22 +
tests/nwfilterxml2firewalldata/udp-ipv6.xml | 22 +
tests/nwfilterxml2firewalldata/udp-linux.args | 20 +
tests/nwfilterxml2firewalldata/udp.xml | 22 +
.../udplite-ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/udplite-ipv6.xml | 19 +
tests/nwfilterxml2firewalldata/udplite-linux.args | 18 +
tests/nwfilterxml2firewalldata/udplite.xml | 18 +
tests/nwfilterxml2firewalldata/vlan-linux.args | 14 +
tests/nwfilterxml2firewalldata/vlan.xml | 38 ++
tests/nwfilterxml2firewalltest.c | 534 +++++++++++++++++++++
85 files changed, 2609 insertions(+)
create mode 100644 tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ah-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/ah-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ah.xml
create mode 100644 tests/nwfilterxml2firewalldata/all-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/all-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/all-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/all.xml
create mode 100644 tests/nwfilterxml2firewalldata/arp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/arp.xml
create mode 100644 tests/nwfilterxml2firewalldata/comment-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/comment.xml
create mode 100644 tests/nwfilterxml2firewalldata/conntrack-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/conntrack.xml
create mode 100644 tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/esp-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/esp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/esp.xml
create mode 100644 tests/nwfilterxml2firewalldata/example-1-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/example-1.xml
create mode 100644 tests/nwfilterxml2firewalldata/example-2-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/example-2.xml
create mode 100644 tests/nwfilterxml2firewalldata/hex-data-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/hex-data.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction2.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction3.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmp.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmpv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmpv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/igmp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/igmp.xml
create mode 100644 tests/nwfilterxml2firewalldata/ip-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ip.xml
create mode 100644 tests/nwfilterxml2firewalldata/ipset-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ipset.xml
create mode 100644 tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml
create mode 100644 tests/nwfilterxml2firewalldata/ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/iter1-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/iter1.xml
create mode 100644 tests/nwfilterxml2firewalldata/iter2-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/iter2.xml
create mode 100644 tests/nwfilterxml2firewalldata/iter3-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/iter3.xml
create mode 100644 tests/nwfilterxml2firewalldata/mac-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/mac.xml
create mode 100644 tests/nwfilterxml2firewalldata/rarp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/rarp.xml
create mode 100644 tests/nwfilterxml2firewalldata/ref-rule.xml
create mode 100644 tests/nwfilterxml2firewalldata/ref.xml
create mode 100644 tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/sctp-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/sctp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/sctp.xml
create mode 100644 tests/nwfilterxml2firewalldata/stp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/stp.xml
create mode 100644 tests/nwfilterxml2firewalldata/target-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/target.xml
create mode 100644 tests/nwfilterxml2firewalldata/target2-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/target2.xml
create mode 100644 tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/tcp-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/tcp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/tcp.xml
create mode 100644 tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/udp-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/udp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/udp.xml
create mode 100644 tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/udplite-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/udplite-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/udplite.xml
create mode 100644 tests/nwfilterxml2firewalldata/vlan-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/vlan.xml
create mode 100644 tests/nwfilterxml2firewalltest.c
diff --git a/src/conf/nwfilter_params.c b/src/conf/nwfilter_params.c
index 7655033..ac4d4a8 100644
--- a/src/conf/nwfilter_params.c
+++ b/src/conf/nwfilter_params.c
@@ -252,6 +252,21 @@ virNWFilterVarValueAddValue(virNWFilterVarValuePtr val, char *value)
return rc;
}
+
+int
+virNWFilterVarValueAddValueCopy(virNWFilterVarValuePtr val, const char *value)
+{
+ char *valdup;
+ if (VIR_STRDUP(valdup, value) < 0)
+ return -1;
+ if (virNWFilterVarValueAddValue(val, valdup) < 0) {
+ VIR_FREE(valdup);
+ return -1;
+ }
+ return 0;
+}
+
+
static int
virNWFilterVarValueDelNthValue(virNWFilterVarValuePtr val, unsigned int pos)
{
diff --git a/src/conf/nwfilter_params.h b/src/conf/nwfilter_params.h
index f9efc42..08e448f 100644
--- a/src/conf/nwfilter_params.h
+++ b/src/conf/nwfilter_params.h
@@ -60,6 +60,7 @@ unsigned int virNWFilterVarValueGetCardinality(const virNWFilterVarValue *);
bool virNWFilterVarValueEqual(const virNWFilterVarValue *a,
const virNWFilterVarValue *b);
int virNWFilterVarValueAddValue(virNWFilterVarValuePtr val, char *value);
+int virNWFilterVarValueAddValueCopy(virNWFilterVarValuePtr val, const char *value);
int virNWFilterVarValueDelValue(virNWFilterVarValuePtr val, const char *value);
typedef struct _virNWFilterHashTable virNWFilterHashTable;
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 18be0e1..67edd20 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -578,6 +578,7 @@ virNWFilterConfLayerInit;
virNWFilterConfLayerShutdown;
virNWFilterDefFormat;
virNWFilterDefFree;
+virNWFilterDefParseFile;
virNWFilterDefParseString;
virNWFilterInstFiltersOnAllVMs;
virNWFilterJumpTargetTypeToString;
@@ -630,6 +631,7 @@ virNWFilterVarCombIterFree;
virNWFilterVarCombIterGetVarValue;
virNWFilterVarCombIterNext;
virNWFilterVarValueAddValue;
+virNWFilterVarValueAddValueCopy;
virNWFilterVarValueCopy;
virNWFilterVarValueCreateSimple;
virNWFilterVarValueCreateSimpleCopyValue;
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 9547c02..4a71f37 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -270,6 +270,7 @@ test_programs += nwfilterxml2xmltest
if WITH_NWFILTER
test_programs += nwfilterebiptablestest
+test_programs += nwfilterxml2firewalltest
endif WITH_NWFILTER
if WITH_STORAGE
@@ -696,6 +697,12 @@ nwfilterebiptablestest_SOURCES = \
nwfilterebiptablestest.c \
testutils.c testutils.h
nwfilterebiptablestest_LDADD = ../src/libvirt_driver_nwfilter_impl.la $(LDADDS)
+
+nwfilterxml2firewalltest_SOURCES = \
+ nwfilterxml2firewalltest.c \
+ testutils.c testutils.h
+nwfilterxml2firewalltest_LDADD = \
+ ../src/libvirt_driver_nwfilter_impl.la $(LDADDS)
endif WITH_NWFILTER
secretxml2xmltest_SOURCES = \
diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
new file mode 100644
index 0000000..aa7a70d
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p ah --destination f:e:d::c:b:a/127 \
+--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p ah --destination a:b:c::/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p ah --destination a:b:c::/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p ah --destination ::10.1.2.3/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p ah --destination ::10.1.2.3/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6.xml b/tests/nwfilterxml2firewalldata/ah-ipv6.xml
new file mode 100644
index 0000000..95ebbc9
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ah-ipv6.xml
@@ -0,0 +1,19 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <ah-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ srcipaddr='f:e:d::c:b:a' srcipmask='127'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ah-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ah-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ah-linux.args b/tests/nwfilterxml2firewalldata/ah-linux.args
new file mode 100644
index 0000000..a0f5fb6
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ah-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/iptables -A FJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p ah --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/ah.xml b/tests/nwfilterxml2firewalldata/ah.xml
new file mode 100644
index 0000000..287c10b
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ah.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <ah srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ah srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ah srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
new file mode 100644
index 0000000..6559434
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p all --destination f:e:d::c:b:a/127 \
+--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p all --destination a:b:c::/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p all --destination a:b:c::/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p all --destination ::10.1.2.3/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p all --destination ::10.1.2.3/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/all-ipv6.xml b/tests/nwfilterxml2firewalldata/all-ipv6.xml
new file mode 100644
index 0000000..5cf3519
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/all-ipv6.xml
@@ -0,0 +1,19 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ srcipaddr='f:e:d::c:b:a' srcipmask='127'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/all-linux.args b/tests/nwfilterxml2firewalldata/all-linux.args
new file mode 100644
index 0000000..c8116f5
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/all-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/all.xml b/tests/nwfilterxml2firewalldata/all.xml
new file mode 100644
index 0000000..a66923c
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/all.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/arp-linux.args b/tests/nwfilterxml2firewalldata/arp-linux.args
new file mode 100644
index 0000000..469b75a
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/arp-linux.args
@@ -0,0 +1,11 @@
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 12 --arp-opcode 1 \
+--arp-ptype 0x22 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
+-j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 --arp-htype 255 --arp-opcode 1 --arp-ptype 0xff -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 --arp-htype 256 --arp-opcode 11 --arp-ptype 0x100 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 --arp-htype 65535 --arp-opcode 65535 --arp-ptype 0xffff -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p 0x806 --arp-gratuitous -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/arp.xml b/tests/nwfilterxml2firewalldata/arp.xml
new file mode 100644
index 0000000..d0abf94
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/arp.xml
@@ -0,0 +1,32 @@
+<filter name='tck-testcase'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ hwtype='12'
+ protocoltype='34'
+ opcode='Request'
+ arpsrcmacaddr='1:2:3:4:5:6'
+ arpdstmacaddr='a:b:c:d:e:f'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ opcode='1' hwtype='255' protocoltype='255'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ opcode='11' hwtype='256' protocoltype='256'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ opcode='65535' hwtype='65535' protocoltype='65535' />
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <arp gratuitous='true'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/comment-linux.args b/tests/nwfilterxml2firewalldata/comment-linux.args
new file mode 100644
index 0000000..e776d22
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/comment-linux.args
@@ -0,0 +1,49 @@
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p 0x1234 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \
+--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 291:564 \
+--ip-destination-port 13398:17767 --ip-tos 0x32 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \
+--ip6-destination ::10.1.2.3/113 --ip6-protocol 6 --ip6-source-port 273:400 \
+--ip6-destination-port 13107:65535 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 18 --arp-opcode 1 \
+--arp-ptype 0x56 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
+-j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \
+--state NEW,ESTABLISHED -m comment --comment 'udp rule' -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 34 \
+--dport 291:400 --sport 564:1092 -m state --state ESTABLISHED -m comment \
+--comment 'udp rule' -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \
+--state NEW,ESTABLISHED -m comment --comment 'udp rule' -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \
+--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -m comment \
+--comment 'tcp/ipv6 rule' -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 57 --sport 32:33 --dport 256:4369 -m state \
+--state NEW,ESTABLISHED -m comment --comment 'tcp/ipv6 rule' -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \
+--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -m comment \
+--comment 'tcp/ipv6 rule' -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p udp -m state --state ESTABLISHED -m comment \
+--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udp -m state --state NEW,ESTABLISHED -m comment \
+--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udp -m state --state ESTABLISHED -m comment \
+--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p sctp -m state --state ESTABLISHED -m comment \
+--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p sctp -m state --state NEW,ESTABLISHED -m comment \
+--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p sctp -m state --state ESTABLISHED -m comment \
+--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p ah -m state --state ESTABLISHED -m comment \
+--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p ah -m state --state NEW,ESTABLISHED -m comment \
+--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p ah -m state --state ESTABLISHED -m comment \
+--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/comment.xml b/tests/nwfilterxml2firewalldata/comment.xml
new file mode 100644
index 0000000..a154a17
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/comment.xml
@@ -0,0 +1,71 @@
+<filter name='tck-testcase'>
+ <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
+
+ <rule action='accept' direction='in'>
+ <mac protocolid='0x1234' comment='mac rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ srcipaddr='10.1.2.3' srcipmask='255.255.255.255'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ protocol='udp'
+ srcportstart='0x123' srcportend='0x234'
+ dstportstart='0x3456' dstportend='0x4567'
+ dscp='0x32' comment='ip rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80'
+ srcipaddr='::10.1.2.3' srcipmask='22'
+ dstipaddr='::10.1.2.3'
+ dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000'
+ protocol='tcp'
+ srcportstart='0x111' srcportend='400'
+ dstportstart='0x3333' dstportend='65535' comment='ipv6 rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ hwtype='0x12'
+ protocoltype='0x56'
+ opcode='Request'
+ arpsrcmacaddr='1:2:3:4:5:6'
+ arpdstmacaddr='a:b:c:d:e:f'
+ comment='arp rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <udp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='0x22'
+ srcportstart='0x123' srcportend='400'
+ dstportstart='0x234' dstportend='0x444'
+ comment='udp rule'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='0x39'
+ srcportstart='0x20' srcportend='0x21'
+ dstportstart='0x100' dstportend='0x1111'
+ comment='tcp/ipv6 rule'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <udp-ipv6 comment='`ls`;${COLUMNS};$(ls);"test";&'3 spaces''/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <sctp-ipv6 comment='comment with lone ', `, ", `, \, $x, and two spaces'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <ah-ipv6 comment='tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}'/>
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/conntrack-linux.args b/tests/nwfilterxml2firewalldata/conntrack-linux.args
new file mode 100644
index 0000000..96b29ac
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/conntrack-linux.args
@@ -0,0 +1,7 @@
+/usr/sbin/iptables -A FJ-vnet0 -p icmp -m connlimit --connlimit-above 1 -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p icmp -m connlimit --connlimit-above 1 -j DROP
+/usr/sbin/iptables -A FJ-vnet0 -p tcp -m connlimit --connlimit-above 2 -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p tcp -m connlimit --connlimit-above 2 -j DROP
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state NEW,ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/conntrack.xml b/tests/nwfilterxml2firewalldata/conntrack.xml
new file mode 100644
index 0000000..0682b25
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/conntrack.xml
@@ -0,0 +1,12 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
+ <rule action='drop' direction='out' priority='500'>
+ <icmp connlimit-above='1'/>
+ </rule>
+ <rule action='drop' direction='out' priority='500'>
+ <tcp connlimit-above='2'/>
+ </rule>
+ <rule action='accept' direction='out' priority='500'>
+ <all/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
new file mode 100644
index 0000000..d8c3a3c
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p esp --destination f:e:d::c:b:a/127 \
+--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p esp --destination a:b:c::/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p esp --destination a:b:c::/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p esp --destination ::10.1.2.3/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p esp --destination ::10.1.2.3/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6.xml b/tests/nwfilterxml2firewalldata/esp-ipv6.xml
new file mode 100644
index 0000000..295d0f9
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/esp-ipv6.xml
@@ -0,0 +1,19 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <esp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ srcipaddr='f:e:d::c:b:a' srcipmask='127'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <esp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <esp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/esp-linux.args b/tests/nwfilterxml2firewalldata/esp-linux.args
new file mode 100644
index 0000000..aeee6eb
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/esp-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/iptables -A FJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p esp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/esp.xml b/tests/nwfilterxml2firewalldata/esp.xml
new file mode 100644
index 0000000..1f75df1
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/esp.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <esp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <esp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <esp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/example-1-linux.args b/tests/nwfilterxml2firewalldata/example-1-linux.args
new file mode 100644
index 0000000..647980b
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/example-1-linux.args
@@ -0,0 +1,13 @@
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --sport 22 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED \
+-j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --sport 22 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p icmp -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p icmp -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all -j DROP
diff --git a/tests/nwfilterxml2firewalldata/example-1.xml b/tests/nwfilterxml2firewalldata/example-1.xml
new file mode 100644
index 0000000..ad15a98
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/example-1.xml
@@ -0,0 +1,24 @@
+<filter name='tck-testcase'>
+ <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
+
+ <!-- allow incoming ssh connections -->
+ <rule action='accept' direction='in' priority='100'>
+ <tcp dstportstart='22'/>
+ </rule>
+
+ <!-- allow incoming ICMP (ping) packets -->
+ <rule action='accept' direction='in' priority='200'>
+ <icmp/>
+ </rule>
+
+ <!-- allow all outgoing traffic -->
+ <rule action='accept' direction='in' priority='300'>
+ <all/>
+ </rule>
+
+ <!-- drop all other traffic -->
+ <rule action='drop' direction='inout' priority='1000'>
+ <all/>
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/example-2-linux.args b/tests/nwfilterxml2firewalldata/example-2-linux.args
new file mode 100644
index 0000000..445aa73
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/example-2-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED,RELATED -m comment \
+--comment 'out: existing and related (ftp) connections' -j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED,RELATED -m comment \
+--comment 'out: existing and related (ftp) connections' -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -m comment \
+--comment 'in: existing connections' -j ACCEPT
+/usr/sbin/iptables -A FP-vnet0 -p tcp --dport 21:22 -m state --state NEW -m comment \
+--comment 'in: ftp and ssh' -j ACCEPT
+/usr/sbin/iptables -A FP-vnet0 -p icmp -m state --state NEW -m comment \
+--comment 'in: icmp' -j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p udp --dport 53 -m state --state NEW -m comment \
+--comment 'out: DNS lookups' -j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p udp --dport 53 -m state --state NEW -m comment \
+--comment 'out: DNS lookups' -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m comment \
+--comment 'inout: drop all non-accepted traffic' -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -m comment \
+--comment 'inout: drop all non-accepted traffic' -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all -m comment \
+--comment 'inout: drop all non-accepted traffic' -j DROP
diff --git a/tests/nwfilterxml2firewalldata/example-2.xml b/tests/nwfilterxml2firewalldata/example-2.xml
new file mode 100644
index 0000000..7bda4e6
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/example-2.xml
@@ -0,0 +1,37 @@
+<filter name='tck-testcase'>
+ <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
+
+ <!-- VM outgoing: allow all established and related connections -->
+ <rule action='accept' direction='out' priority='100'>
+ <all state='ESTABLISHED,RELATED'
+ comment='out: existing and related (ftp) connections'/>
+ </rule>
+
+ <!-- VM incoming: allow all established connections -->
+ <rule action='accept' direction='in' priority='100'>
+ <all state='ESTABLISHED'
+ comment='in: existing connections'/>
+ </rule>
+
+ <!-- allow incoming ssh and ftp traffic -->
+ <rule action='accept' direction='in' priority='200'>
+ <tcp dstportstart='21' dstportend='22' state='NEW'
+ comment='in: ftp and ssh'/>
+ </rule>
+
+ <!-- allow incoming ICMP (ping) packets -->
+ <rule action='accept' direction='in' priority='300'>
+ <icmp state='NEW' comment='in: icmp'/>
+ </rule>
+
+ <!-- allow outgong DNS lookups -->
+ <rule action='accept' direction='out' priority='300'>
+ <udp dstportstart='53' state='NEW' comment='out: DNS lookups'/>
+ </rule>
+
+ <!-- drop all other traffic -->
+ <rule action='drop' direction='inout' priority='1000'>
+ <all comment='inout: drop all non-accepted traffic'/>
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/hex-data-linux.args b/tests/nwfilterxml2firewalldata/hex-data-linux.args
new file mode 100644
index 0000000..209c863
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/hex-data-linux.args
@@ -0,0 +1,28 @@
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p 0x1234 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \
+--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 291:564 \
+--ip-destination-port 13398:17767 --ip-tos 0x32 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \
+--ip6-destination ::10.1.2.3/113 --ip6-protocol 6 --ip6-source-port 273:400 \
+--ip6-destination-port 13107:65535 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 18 --arp-opcode 1 \
+--arp-ptype 0x56 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
+-j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 34 \
+--dport 291:400 --sport 564:1092 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \
+--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 57 --sport 32:33 --dport 256:4369 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \
+--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/hex-data.xml b/tests/nwfilterxml2firewalldata/hex-data.xml
new file mode 100644
index 0000000..45df451
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/hex-data.xml
@@ -0,0 +1,56 @@
+<filter name='tck-testcase'>
+ <uuid>01a992d2-f8c8-7c27-f69b-ab0a9d377379</uuid>
+
+ <rule action='accept' direction='in'>
+ <mac protocolid='0x1234'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ srcipaddr='10.1.2.3' srcipmask='255.255.255.255'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ protocol='udp'
+ srcportstart='0x123' srcportend='0x234'
+ dstportstart='0x3456' dstportend='0x4567'
+ dscp='0x32'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80'
+ srcipaddr='::10.1.2.3' srcipmask='22'
+ dstipaddr='::10.1.2.3'
+ dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000'
+ protocol='tcp'
+ srcportstart='0x111' srcportend='400'
+ dstportstart='0x3333' dstportend='65535'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ hwtype='0x12'
+ protocoltype='0x56'
+ opcode='Request'
+ arpsrcmacaddr='1:2:3:4:5:6'
+ arpdstmacaddr='a:b:c:d:e:f'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <udp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='0x22'
+ srcportstart='0x123' srcportend='400'
+ dstportstart='0x234' dstportend='0x444'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='0x39'
+ srcportstart='0x20' srcportend='0x21'
+ dstportstart='0x100' dstportend='0x1111'/>
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
new file mode 100644
index 0000000..b4df953
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
@@ -0,0 +1,9 @@
+/usr/sbin/iptables -A FP-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \
+-j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p icmp -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p icmp -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p icmp -j DROP
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction.xml b/tests/nwfilterxml2firewalldata/icmp-direction.xml
new file mode 100644
index 0000000..e2184e8
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction.xml
@@ -0,0 +1,15 @@
+<filter name='tck-testcase'>
+ <uuid>f4b3f745-d23d-2ee6-218a-d5671611229b</uuid>
+ <!-- allow incoming ICMP Echo Reply -->
+ <rule action='accept' direction='in' priority='500'>
+ <icmp type='0'/>
+ </rule>
+ <!-- allow outgoing ICMP Echo Request -->
+ <rule action='accept' direction='out' priority='500'>
+ <icmp type='8'/>
+ </rule>
+ <!-- drop all other ICMP traffic -->
+ <rule action='drop' direction='inout' priority='600'>
+ <icmp/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
new file mode 100644
index 0000000..fe1e316
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
@@ -0,0 +1,9 @@
+/usr/sbin/iptables -A FP-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \
+-j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p icmp -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p icmp -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p icmp -j DROP
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction2.xml b/tests/nwfilterxml2firewalldata/icmp-direction2.xml
new file mode 100644
index 0000000..a552985
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction2.xml
@@ -0,0 +1,15 @@
+<filter name='tck-testcase'>
+ <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
+ <!-- allow incoming ICMP Echo Request -->
+ <rule action='accept' direction='in' priority='500'>
+ <icmp type='8'/>
+ </rule>
+ <!-- allow outgoing ICMP Echo Reply -->
+ <rule action='accept' direction='out' priority='500'>
+ <icmp type='0'/>
+ </rule>
+ <!-- drop all other ICMP traffic -->
+ <rule action='drop' direction='inout' priority='600'>
+ <icmp/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
new file mode 100644
index 0000000..31fa70e
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
@@ -0,0 +1,6 @@
+/usr/sbin/iptables -A FJ-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p icmp -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all -j DROP
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3.xml b/tests/nwfilterxml2firewalldata/icmp-direction3.xml
new file mode 100644
index 0000000..c592903
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction3.xml
@@ -0,0 +1,10 @@
+<filter name='tck-testcase'>
+ <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <icmp/>
+ </rule>
+ <!-- drop all other traffic -->
+ <rule action='drop' direction='inout' priority='600'>
+ <all/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/icmp-linux.args b/tests/nwfilterxml2firewalldata/icmp-linux.args
new file mode 100644
index 0000000..b09941d
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-linux.args
@@ -0,0 +1,9 @@
+/usr/sbin/iptables -A FJ-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 --icmp-type 12/11 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 --icmp-type 12/11 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 --icmp-type 255/255 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/icmp.xml b/tests/nwfilterxml2firewalldata/icmp.xml
new file mode 100644
index 0000000..fff5d42
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp.xml
@@ -0,0 +1,13 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <icmp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' type='12' code='11'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <icmp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' type='255' code='255'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/icmpv6-linux.args b/tests/nwfilterxml2firewalldata/icmpv6-linux.args
new file mode 100644
index 0000000..f4dd2af
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmpv6-linux.args
@@ -0,0 +1,12 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 \
+--icmpv6-type 12/11 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A HJ-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 \
+--icmpv6-type 12/11 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 --icmpv6-type 255/255 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A FP-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 33 --icmpv6-type 255/255 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/icmpv6.xml b/tests/nwfilterxml2firewalldata/icmpv6.xml
new file mode 100644
index 0000000..9d24826
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmpv6.xml
@@ -0,0 +1,19 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <icmpv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ srcipaddr='f:e:d::c:b:a' srcipmask='127'
+ dscp='2' type='12' code='11'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <icmpv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33' type='255' code='255'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <icmpv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='33' type='255' code='255'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/igmp-linux.args b/tests/nwfilterxml2firewalldata/igmp-linux.args
new file mode 100644
index 0000000..b3b3ba3
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/igmp-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/iptables -A FJ-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p igmp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/igmp.xml b/tests/nwfilterxml2firewalldata/igmp.xml
new file mode 100644
index 0000000..0f4dcd4
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/igmp.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <igmp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <igmp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <igmp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ip-linux.args b/tests/nwfilterxml2firewalldata/ip-linux.args
new file mode 100644
index 0000000..a577a60
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ip-linux.args
@@ -0,0 +1,8 @@
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \
+--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 20:22 \
+--ip-destination-port 100:101 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p ipv4 --ip-source 10.1.2.3/17 \
+--ip-destination 10.1.2.3/24 --ip-protocol 17 --ip-tos 0x3f -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p ipv4 --ip-source 10.1.2.3/31 \
+--ip-destination 10.1.2.3/25 --ip-protocol 255 --ip-tos 0x3f -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/ip.xml b/tests/nwfilterxml2firewalldata/ip.xml
new file mode 100644
index 0000000..da362a1
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ip.xml
@@ -0,0 +1,28 @@
+<filter name='tck-testcase'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ srcipaddr='10.1.2.3' srcipmask='255.255.255.255'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ protocol='udp'
+ srcportstart='20' srcportend='22'
+ dstportstart='100' dstportend='101'
+ />
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ip srcipaddr='10.1.2.3' srcipmask='255.255.128.0'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.0'
+ protocol='17' dscp='63'
+ />
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <ip srcipaddr='10.1.2.3' srcipmask='255.255.255.254'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.128'
+ protocol='255' dscp='63'
+ />
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ipset-linux.args b/tests/nwfilterxml2firewalldata/ipset-linux.args
new file mode 100644
index 0000000..4eeb208
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipset-linux.args
@@ -0,0 +1,36 @@
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
+--match-set tck_test src,dst -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
+--match-set tck_test src,dst -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m set --match-set tck_test src,dst -m comment \
+--comment in+NONE -j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p all -m set --match-set tck_test src,dst -m comment \
+--comment out+NONE -j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p all -m set --match-set tck_test src,dst -m comment \
+--comment out+NONE -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src,dst -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
+--match-set tck_test src,dst,src -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src,dst -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src,dst -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
+--match-set tck_test src,dst,src -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src,dst -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
+--match-set tck_test src,dst -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m set --match-set tck_test dst,src -m comment \
+--comment inout -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m set --match-set tck_test src,dst -m comment \
+--comment inout -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m set --match-set tck_test dst,src -m comment \
+--comment inout -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/ipset.xml b/tests/nwfilterxml2firewalldata/ipset.xml
new file mode 100644
index 0000000..cc8ccc4
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipset.xml
@@ -0,0 +1,25 @@
+<!-- #ipset help && iptables -t match-set -h && ipset list tck_test || ipset create tck_test hash:ip# -->
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all ipset='tck_test' ipsetflags='src,dst' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all state='NONE' ipset='tck_test' ipsetflags='src,dst' comment='in+NONE'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <all state='NONE' ipset='tck_test' ipsetflags='src,dst' comment='out+NONE'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all ipset='tck_test' ipsetflags='SRC,DST,SRC' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all ipset='tck_test' ipsetflags='SRC,dSt,SRC' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all ipset='$IPSETNAME' ipsetflags='src,dst' />
+ </rule>
+ <rule action='accept' direction='inout'>
+ <all ipset='$IPSETNAME' ipsetflags='src,dst' comment='inout'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
new file mode 100644
index 0000000..f74f449
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
@@ -0,0 +1,2 @@
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac '!' --mac-source 12:34:56:78:9a:bc -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac '!' --mac-source aa:aa:aa:aa:aa:aa -j DROP
diff --git a/tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml b/tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml
new file mode 100644
index 0000000..2e8f2ce
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml
@@ -0,0 +1,14 @@
+<filter name='tck-testcase'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='drop' direction='inout'>
+ <!-- should use $MAC for MAC address, but tests would depend on VM's
+ MAC address -->
+ <all match='no' srcmacaddr='12:34:56:78:9a:bc'/>
+ </rule>
+
+ <rule action='drop' direction='in'>
+ <!-- not accepting incoming traffic from a certain MAC address -->
+ <all match='no' srcmacaddr='aa:aa:aa:aa:aa:aa'/>
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ipv6-linux.args b/tests/nwfilterxml2firewalldata/ipv6-linux.args
new file mode 100644
index 0000000..e6674f6
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipv6-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \
+--ip6-destination ::10.1.2.3/113 --ip6-protocol 17 --ip6-source-port 20:22 \
+--ip6-destination-port 100:101 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
+--ip6-source a:b:c::/65 --ip6-protocol 6 --ip6-destination-port 20:22 \
+--ip6-source-port 100:101 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
+--ip6-destination a:b:c::/65 --ip6-protocol 6 --ip6-source-port 20:22 \
+--ip6-destination-port 100:101 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
+--ip6-source a:b:c::/65 --ip6-protocol 6 --ip6-destination-port 255:256 \
+--ip6-source-port 65535:65535 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
+--ip6-destination a:b:c::/65 --ip6-protocol 6 --ip6-source-port 255:256 \
+--ip6-destination-port 65535:65535 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
+--ip6-source a:b:c::/65 --ip6-protocol 18 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
+--ip6-destination a:b:c::/65 --ip6-protocol 18 -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/ipv6.xml b/tests/nwfilterxml2firewalldata/ipv6.xml
new file mode 100644
index 0000000..9f67bea
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipv6.xml
@@ -0,0 +1,43 @@
+<filter name='tck-testcase'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80'
+ srcipaddr='::10.1.2.3' srcipmask='22'
+ dstipaddr='::10.1.2.3'
+ dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000'
+ protocol='udp'
+ srcportstart='20' srcportend='22'
+ dstportstart='100' dstportend='101'
+ />
+ </rule>
+
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='6'
+ srcportstart='20' srcportend='22'
+ dstportstart='100' dstportend='101'
+ />
+ </rule>
+
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='6'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'
+ />
+ </rule>
+
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='18'
+ />
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/iter1-linux.args b/tests/nwfilterxml2firewalldata/iter1-linux.args
new file mode 100644
index 0000000..5d8d213
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter1-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 2 --dport 80 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 2 --dport 80 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/iter1.xml b/tests/nwfilterxml2firewalldata/iter1.xml
new file mode 100644
index 0000000..c2090e6
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter1.xml
@@ -0,0 +1,6 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <tcp srcipaddr='$A' srcportstart='$B' dscp='2'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/iter2-linux.args b/tests/nwfilterxml2firewalldata/iter2-linux.args
new file mode 100644
index 0000000..42d9e92
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter2-linux.args
@@ -0,0 +1,342 @@
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 80 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 1 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 1 --dport 90 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 1 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 1 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 1 --dport 80 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 1 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 -m dscp --dscp 2 --dport 80 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 80 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 -m dscp --dscp 2 --dport 80 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 -m dscp --dscp 2 --dport 90 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 -m dscp --dscp 2 --dport 90 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \
+--dport 80 --sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
+--dport 80 --sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \
+--dport 80 --sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \
+--dport 90 --sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
+--dport 90 --sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \
+--dport 90 --sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \
+--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
+--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \
+--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \
+--dport 80 --sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
+--dport 80 --sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \
+--dport 80 --sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80 \
+--sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80 \
+--sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80 \
+--sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90 \
+--sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90 \
+--sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90 \
+--sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80 \
+--sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80 \
+--sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80 \
+--sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90 \
+--sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90 \
+--sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90 \
+--sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80 \
+--sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80 \
+--sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80 \
+--sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90 \
+--sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90 \
+--sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90 \
+--sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80 \
+--sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80 \
+--sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80 \
+--sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90 \
+--sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90 \
+--sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90 \
+--sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 --source 1.1.1.1 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 --destination 1.1.1.1 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 --source 1.1.1.1 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 --destination 1.1.1.1 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 --destination 1.1.1.1 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 --source 1.1.1.1 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 --destination 1.1.1.1 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 --destination 2.2.2.2 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 --source 2.2.2.2 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 --destination 2.2.2.2 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 --source 2.2.2.2 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 --destination 2.2.2.2 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 --source 2.2.2.2 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 --destination 2.2.2.2 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 --destination 3.3.3.3 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 --source 3.3.3.3 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 --destination 3.3.3.3 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 --destination 3.3.3.3 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 --source 3.3.3.3 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 --destination 3.3.3.3 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 --source 3.3.3.3 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \
+--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 --source 1.1.1.1 -m dscp \
+--dscp 6 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \
+--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \
+--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 --source 2.2.2.2 -m dscp \
+--dscp 6 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \
+--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \
+--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 --source 3.3.3.3 -m dscp \
+--dscp 6 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \
+--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/iter2.xml b/tests/nwfilterxml2firewalldata/iter2.xml
new file mode 100644
index 0000000..3a3174a
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter2.xml
@@ -0,0 +1,23 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <tcp srcipaddr='$A' srcportstart='$B[@0]' dscp='1'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <udp srcipaddr='$A[@1]' srcportstart='$B[@2]' dscp='2'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <sctp srcipaddr='$A[@1]' srcportstart='$B[@2]' dstportstart='$C[@2]'
+ dscp='3'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <tcp srcipaddr='$A[@1]' srcportstart='$B[@2]' dstportstart='$C[@3]'
+ dscp='4'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <udp srcipaddr='$A[@1]' dstipaddr='$A[@2]' dscp='5'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <sctp srcipaddr='$A' dstipaddr='$A' dscp='6'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/iter3-linux.args b/tests/nwfilterxml2firewalldata/iter3-linux.args
new file mode 100644
index 0000000..c74338c
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter3-linux.args
@@ -0,0 +1,30 @@
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 80 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 90 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 80 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
+--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/iter3.xml b/tests/nwfilterxml2firewalldata/iter3.xml
new file mode 100644
index 0000000..47f5096
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter3.xml
@@ -0,0 +1,13 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <tcp srcipaddr='$A[ 0]' srcportstart='$B[ @0 ] ' dscp='1'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <udp srcipaddr='$A[1 ]' srcportstart='$B[ @2 ]' dscp='2'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <sctp srcipaddr='$A[ 1 ] ' srcportstart='$B[2 ] ' dstportstart='$C[ 2 ]'
+ dscp='3'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/mac-linux.args b/tests/nwfilterxml2firewalldata/mac-linux.args
new file mode 100644
index 0000000..d03b706
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/mac-linux.args
@@ -0,0 +1,8 @@
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
+-p 0x800 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
+-p 0x600 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
+-p 0xffff -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/mac.xml b/tests/nwfilterxml2firewalldata/mac.xml
new file mode 100644
index 0000000..2aec935
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/mac.xml
@@ -0,0 +1,19 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='1536'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='65535'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/rarp-linux.args b/tests/nwfilterxml2firewalldata/rarp-linux.args
new file mode 100644
index 0000000..c100470
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/rarp-linux.args
@@ -0,0 +1,12 @@
+/usr/sbin/ebtables -t nat -N libvirt-J-vnet0
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8035 --arp-htype 12 --arp-opcode 1 \
+--arp-ptype 0x22 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
+-j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x8035 --arp-htype 255 --arp-opcode 1 --arp-ptype 0xff -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x8035 --arp-htype 256 --arp-opcode 11 --arp-ptype 0x100 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x8035 --arp-htype 65535 --arp-opcode 65535 --arp-ptype 0xffff -j ACCEPT
+/usr/sbin/ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0
diff --git a/tests/nwfilterxml2firewalldata/rarp.xml b/tests/nwfilterxml2firewalldata/rarp.xml
new file mode 100644
index 0000000..77c1127
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/rarp.xml
@@ -0,0 +1,28 @@
+<filter name='tck-testcase'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='rarp'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ hwtype='12'
+ protocoltype='34'
+ opcode='Request'
+ arpsrcmacaddr='1:2:3:4:5:6'
+ arpdstmacaddr='a:b:c:d:e:f'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ opcode='1' hwtype='255' protocoltype='255'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ opcode='11' hwtype='256' protocoltype='256'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ opcode='65535' hwtype='65535' protocoltype='65535' />
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ref-rule.xml b/tests/nwfilterxml2firewalldata/ref-rule.xml
new file mode 100644
index 0000000..5cb2fad
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ref-rule.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase'>
+ <uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid>
+ <filterref filter='clean-traffic'/>
+ <rule action='accept' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <tcp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <udp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ dscp='2'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ref.xml b/tests/nwfilterxml2firewalldata/ref.xml
new file mode 100644
index 0000000..beb46d2
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ref.xml
@@ -0,0 +1,4 @@
+<filter name='tck-testcase'>
+ <uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid>
+ <filterref filter='clean-traffic'/>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
new file mode 100644
index 0000000..956ab82
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
@@ -0,0 +1,22 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p sctp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p sctp --destination a:b:c::/128 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p sctp --destination a:b:c::/128 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p sctp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p sctp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6.xml b/tests/nwfilterxml2firewalldata/sctp-ipv6.xml
new file mode 100644
index 0000000..d1a57b8
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/sctp-ipv6.xml
@@ -0,0 +1,22 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <sctp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <sctp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33'
+ srcportstart='20' srcportend='21'
+ dstportstart='100' dstportend='1111'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <sctp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='63'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/sctp-linux.args b/tests/nwfilterxml2firewalldata/sctp-linux.args
new file mode 100644
index 0000000..643db68
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/sctp-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/iptables -A FJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/sctp.xml b/tests/nwfilterxml2firewalldata/sctp.xml
new file mode 100644
index 0000000..c3c1000
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/sctp.xml
@@ -0,0 +1,22 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <sctp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <sctp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='32'
+ dscp='33'
+ srcportstart='20' srcportend='21'
+ dstportstart='100' dstportend='1111'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <sctp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='32'
+ dscp='63'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/stp-linux.args b/tests/nwfilterxml2firewalldata/stp-linux.args
new file mode 100644
index 0000000..4f66836
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/stp-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/ebtables -t nat -F J-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -X J-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -N J-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -d 01:80:c2:00:00:00 -j J-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -F P-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -X P-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -N P-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d 01:80:c2:00:00:00 -j P-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -A P-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d 01:80:c2:00:00:00 --stp-type 18 --stp-flags 68 -j CONTINUE
+/usr/sbin/ebtables -t nat -A J-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d 01:80:c2:00:00:00 --stp-root-pri 4660:9029 \
+--stp-root-addr 06:05:04:03:02:01/ff:ff:ff:ff:ff:ff \
+--stp-root-cost 287454020:573785173 -j RETURN
+/usr/sbin/ebtables -t nat -A P-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d 01:80:c2:00:00:00 --stp-sender-prio 4660 --stp-sender-addr 06:05:04:03:02:01 \
+--stp-port 123:234 --stp-msg-age 5544:5555 --stp-max-age 7777:8888 \
+--stp-hello-time 12345:12346 --stp-forward-delay 54321:65432 -j DROP
diff --git a/tests/nwfilterxml2firewalldata/stp.xml b/tests/nwfilterxml2firewalldata/stp.xml
new file mode 100644
index 0000000..6b5a625
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/stp.xml
@@ -0,0 +1,26 @@
+<filter name='tck-testcase' chain='stp-xyz'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='continue' direction='in'>
+ <stp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ type='0x12' flags='0x44'/>
+ </rule>
+
+ <rule action='return' direction='out'>
+ <stp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ root-priority='0x1234' root-priority-hi='0x2345'
+ root-address="6:5:4:3:2:1" root-address-mask='ff:ff:ff:ff:ff:ff'
+ root-cost='0x11223344' root-cost-hi='0x22334455' />
+ </rule>
+
+ <rule action='reject' direction='in'>
+ <stp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ sender-priority='0x1234'
+ sender-address="6:5:4:3:2:1"
+ port='123' port-hi='234'
+ age='5544' age-hi='5555'
+ max-age='7777' max-age-hi='8888'
+ hello-time='12345' hello-time-hi='12346'
+ forward-delay='54321' forward-delay-hi='65432'/>
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/target-linux.args b/tests/nwfilterxml2firewalldata/target-linux.args
new file mode 100644
index 0000000..bf3b2dc
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/target-linux.args
@@ -0,0 +1,75 @@
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 -j DROP
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 -j DROP
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
+-p 0x800 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
+-p 0x800 -j DROP
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
+-p 0x800 -j DROP
+/usr/sbin/iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -m comment \
+--comment 'accept rule -- dir out' -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -m comment --comment 'accept rule -- dir out' -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -m comment \
+--comment 'accept rule -- dir out' -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
+--comment 'drop rule -- dir out' -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m comment \
+--comment 'drop rule -- dir out' -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
+--comment 'drop rule -- dir out' -j DROP
+/usr/sbin/iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
+--comment 'reject rule -- dir out' -j REJECT
+/usr/sbin/iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 \
+-m comment --comment 'reject rule -- dir out' -j REJECT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
+--comment 'reject rule -- dir out' -j REJECT
+/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -m comment --comment 'accept rule -- dir in' -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -m comment \
+--comment 'accept rule -- dir in' -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -m comment --comment 'accept rule -- dir in' -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m comment --comment 'drop rule -- dir in' -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m comment --comment 'drop rule -- dir in' \
+-j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m comment --comment 'drop rule -- dir in' -j DROP
+/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m comment --comment 'reject rule -- dir in' -j REJECT
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m comment --comment 'reject rule -- dir in' \
+-j REJECT
+/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m comment --comment 'reject rule -- dir in' -j REJECT
+/usr/sbin/iptables -A FJ-vnet0 -p all -m comment --comment 'accept rule -- dir inout' \
+-j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m comment --comment 'accept rule -- dir inout' \
+-j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m comment --comment 'accept rule -- dir inout' \
+-j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m comment --comment 'drop rule -- dir inout' \
+-j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -m comment --comment 'drop rule -- dir inout' \
+-j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all -m comment --comment 'drop rule -- dir inout' \
+-j DROP
+/usr/sbin/iptables -A FJ-vnet0 -p all -m comment --comment 'reject rule -- dir inout' \
+-j REJECT
+/usr/sbin/iptables -A FP-vnet0 -p all -m comment --comment 'reject rule -- dir inout' \
+-j REJECT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m comment --comment 'reject rule -- dir inout' \
+-j REJECT
diff --git a/tests/nwfilterxml2firewalldata/target.xml b/tests/nwfilterxml2firewalldata/target.xml
new file mode 100644
index 0000000..aa7465b
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/target.xml
@@ -0,0 +1,66 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' comment='accept rule -- dir out'/>
+ </rule>
+ <rule action='drop' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' comment='drop rule -- dir out'/>
+ </rule>
+ <rule action='reject' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' comment='reject rule -- dir out'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' comment='accept rule -- dir in'/>
+ </rule>
+ <rule action='drop' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' comment='drop rule -- dir in'/>
+ </rule>
+ <rule action='reject' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' comment='reject rule -- dir in'/>
+ </rule>
+ <rule action='accept' direction='inout'>
+ <all comment='accept rule -- dir inout'/>
+ </rule>
+ <rule action='drop' direction='in'>
+ <all comment='drop rule -- dir inout'/>
+ </rule>
+ <rule action='reject' direction='in'>
+ <all comment='reject rule -- dir inout'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='drop' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='reject' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+ <rule action='drop' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+ <rule action='reject' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/target2-linux.args b/tests/nwfilterxml2firewalldata/target2-linux.args
new file mode 100644
index 0000000..a1e4c86
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/target2-linux.args
@@ -0,0 +1,13 @@
+/usr/sbin/iptables -A FP-vnet0 -p tcp --dport 22 -j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --sport 22 -j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --sport 22 -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --sport 80 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED \
+-j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --sport 80 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp -j REJECT
+/usr/sbin/iptables -A FP-vnet0 -p tcp -j REJECT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp -j REJECT
+/usr/sbin/iptables -A FJ-vnet0 -p all -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all -j DROP
diff --git a/tests/nwfilterxml2firewalldata/target2.xml b/tests/nwfilterxml2firewalldata/target2.xml
new file mode 100644
index 0000000..c913bf5
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/target2.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='in'>
+ <tcp dstportstart='22' state='NONE'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <tcp srcportstart='22' state='NONE'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp dstportstart='80'/>
+ </rule>
+ <rule action='reject' direction='inout'>
+ <tcp/>
+ </rule>
+ <rule action='drop' direction='inout'>
+ <all/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
new file mode 100644
index 0000000..836937f
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
@@ -0,0 +1,22 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p tcp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p tcp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p tcp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6.xml b/tests/nwfilterxml2firewalldata/tcp-ipv6.xml
new file mode 100644
index 0000000..d4f24f4
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/tcp-ipv6.xml
@@ -0,0 +1,22 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33'
+ srcportstart='20' srcportend='21'
+ dstportstart='100' dstportend='1111'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='63'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/tcp-linux.args b/tests/nwfilterxml2firewalldata/tcp-linux.args
new file mode 100644
index 0000000..c8e351b
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/tcp-linux.args
@@ -0,0 +1,22 @@
+/usr/sbin/iptables -A FJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --tcp-flags SYN ALL -j ACCEPT
+/usr/sbin/iptables -A FP-vnet0 -p tcp --tcp-flags SYN SYN,ACK -j ACCEPT
+/usr/sbin/iptables -A FP-vnet0 -p tcp --tcp-flags RST NONE -j ACCEPT
+/usr/sbin/iptables -A FP-vnet0 -p tcp --tcp-flags PSH NONE -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/tcp.xml b/tests/nwfilterxml2firewalldata/tcp.xml
new file mode 100644
index 0000000..14ebd35
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/tcp.xml
@@ -0,0 +1,34 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <tcp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in' statematch='false'>
+ <tcp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='32'
+ dscp='33'
+ srcportstart='20' srcportend='21'
+ dstportstart='100' dstportend='1111'/>
+ </rule>
+ <rule action='accept' direction='in' statematch='0'>
+ <tcp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='32'
+ dscp='63'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp state='NONE' flags='SYN/ALL'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp state='NONE' flags='SYN/SYN,ACK'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp state='NONE' flags='RST/NONE'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp state='NONE' flags='PSH/'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
new file mode 100644
index 0000000..d9e2060
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
@@ -0,0 +1,22 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p udp --destination ::a:b:c/128 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--source ::a:b:c/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udp --destination ::a:b:c/128 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p udp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 \
+-m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6.xml b/tests/nwfilterxml2firewalldata/udp-ipv6.xml
new file mode 100644
index 0000000..fd4f135
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udp-ipv6.xml
@@ -0,0 +1,22 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <udp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::a:b:c' srcipmask='128'
+ dscp='33'
+ srcportstart='20' srcportend='21'
+ dstportstart='100' dstportend='1111'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='63'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/udp-linux.args b/tests/nwfilterxml2firewalldata/udp-linux.args
new file mode 100644
index 0000000..8638d8d
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udp-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udp.xml b/tests/nwfilterxml2firewalldata/udp.xml
new file mode 100644
index 0000000..359dfa2
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udp.xml
@@ -0,0 +1,22 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <udp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='32'
+ dscp='33'
+ srcportstart='20' srcportend='21'
+ dstportstart='100' dstportend='1111'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='32'
+ dscp='63'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
new file mode 100644
index 0000000..22d37e5
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udplite --destination f:e:d::c:b:a/127 \
+--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p udplite --destination a:b:c::/128 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udplite --destination a:b:c::/128 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p udplite --destination ::10.1.2.3/128 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udplite --destination ::10.1.2.3/128 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6.xml b/tests/nwfilterxml2firewalldata/udplite-ipv6.xml
new file mode 100644
index 0000000..5b941a2
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udplite-ipv6.xml
@@ -0,0 +1,19 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <udplite-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ srcipaddr='f:e:d::c:b:a' srcipmask='127'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udplite-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udplite-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/udplite-linux.args b/tests/nwfilterxml2firewalldata/udplite-linux.args
new file mode 100644
index 0000000..52ca3df
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udplite-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/iptables -A FJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udplite --source 10.1.2.3/32 -m dscp --dscp 2 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udplite.xml b/tests/nwfilterxml2firewalldata/udplite.xml
new file mode 100644
index 0000000..91262fd
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udplite.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <udplite srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udplite srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udplite srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/vlan-linux.args b/tests/nwfilterxml2firewalldata/vlan-linux.args
new file mode 100644
index 0000000..6f858f1
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/vlan-linux.args
@@ -0,0 +1,14 @@
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-s aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j CONTINUE
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j CONTINUE
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-s aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 1234 -j RETURN
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 1234 -j RETURN
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j DROP
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-encap 2054 -j DROP
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-encap 4660 -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/vlan.xml b/tests/nwfilterxml2firewalldata/vlan.xml
new file mode 100644
index 0000000..a5e7b38
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/vlan.xml
@@ -0,0 +1,38 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='continue' direction='inout'>
+ <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ vlanid='0x123'
+ />
+ </rule>
+
+ <rule action='return' direction='inout'>
+ <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ vlanid='1234'
+ />
+ </rule>
+
+ <rule action='reject' direction='in'>
+ <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ vlanid='0x123'
+ />
+ </rule>
+
+ <rule action='drop' direction='out'>
+ <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ encap-protocol='arp'
+ />
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ encap-protocol='0x1234'
+ />
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalltest.c b/tests/nwfilterxml2firewalltest.c
new file mode 100644
index 0000000..653ac82
--- /dev/null
+++ b/tests/nwfilterxml2firewalltest.c
@@ -0,0 +1,534 @@
+/*
+ * nwfilterxml2firewalltest.c: Test iptables rule generation
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <config.h>
+
+#if defined (__linux__)
+
+# include "testutils.h"
+# include "nwfilter/nwfilter_ebiptables_driver.h"
+# include "virbuffer.h"
+
+# define __VIR_FIREWALL_PRIV_H_ALLOW__
+# include "virfirewallpriv.h"
+
+# define __VIR_COMMAND_PRIV_H_ALLOW__
+# include "vircommandpriv.h"
+
+# define VIR_FROM_THIS VIR_FROM_NONE
+
+static const char *abs_top_srcdir;
+
+# ifdef __linux__
+# define RULESTYPE "linux"
+# else
+# error "test case not ported to this platform"
+# endif
+
+typedef struct _virNWFilterInst virNWFilterInst;
+typedef virNWFilterInst *virNWFilterInstPtr;
+struct _virNWFilterInst {
+ virNWFilterDefPtr *filters;
+ size_t nfilters;
+ virNWFilterRuleInstPtr *rules;
+ size_t nrules;
+};
+
+/*
+ * Some sets of rules that will be common to all test files,
+ * so we don't bother including them in the test data files
+ * as that would just bloat them
+ */
+
+static const char *commonRules[] = {
+ /* Dropping ebtables rules */
+ "/usr/sbin/ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-P-vnet0\n",
+
+ /* Creating ebtables chains */
+ "/usr/sbin/ebtables -t nat -N libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -N libvirt-P-vnet0\n",
+
+ /* Dropping iptables rules */
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
+ "/usr/sbin/iptables -F FP-vnet0\n"
+ "/usr/sbin/iptables -X FP-vnet0\n"
+ "/usr/sbin/iptables -F FJ-vnet0\n"
+ "/usr/sbin/iptables -X FJ-vnet0\n"
+ "/usr/sbin/iptables -F HJ-vnet0\n"
+ "/usr/sbin/iptables -X HJ-vnet0\n",
+
+ /* Creating iptables chains */
+ "/usr/sbin/iptables -N libvirt-in\n"
+ "/usr/sbin/iptables -N libvirt-out\n"
+ "/usr/sbin/iptables -N libvirt-in-post\n"
+ "/usr/sbin/iptables -N libvirt-host-in\n"
+ "/usr/sbin/iptables -D FORWARD -j libvirt-in\n"
+ "/usr/sbin/iptables -D FORWARD -j libvirt-out\n"
+ "/usr/sbin/iptables -D FORWARD -j libvirt-in-post\n"
+ "/usr/sbin/iptables -D INPUT -j libvirt-host-in\n"
+ "/usr/sbin/iptables -I FORWARD 1 -j libvirt-in\n"
+ "/usr/sbin/iptables -I FORWARD 2 -j libvirt-out\n"
+ "/usr/sbin/iptables -I FORWARD 3 -j libvirt-in-post\n"
+ "/usr/sbin/iptables -I INPUT 1 -j libvirt-host-in\n"
+ "/usr/sbin/iptables -N FP-vnet0\n"
+ "/usr/sbin/iptables -N FJ-vnet0\n"
+ "/usr/sbin/iptables -N HJ-vnet0\n"
+ "/usr/sbin/iptables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
+ "/usr/sbin/iptables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
+ "/usr/sbin/iptables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "/usr/sbin/iptables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
+
+ /* Dropping ip6tables rules */
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
+ "/usr/sbin/ip6tables -F FP-vnet0\n"
+ "/usr/sbin/ip6tables -X FP-vnet0\n"
+ "/usr/sbin/ip6tables -F FJ-vnet0\n"
+ "/usr/sbin/ip6tables -X FJ-vnet0\n"
+ "/usr/sbin/ip6tables -F HJ-vnet0\n"
+ "/usr/sbin/ip6tables -X HJ-vnet0\n",
+
+ /* Creating ip6tables chains */
+ "/usr/sbin/ip6tables -N libvirt-in\n"
+ "/usr/sbin/ip6tables -N libvirt-out\n"
+ "/usr/sbin/ip6tables -N libvirt-in-post\n"
+ "/usr/sbin/ip6tables -N libvirt-host-in\n"
+ "/usr/sbin/ip6tables -D FORWARD -j libvirt-in\n"
+ "/usr/sbin/ip6tables -D FORWARD -j libvirt-out\n"
+ "/usr/sbin/ip6tables -D FORWARD -j libvirt-in-post\n"
+ "/usr/sbin/ip6tables -D INPUT -j libvirt-host-in\n"
+ "/usr/sbin/ip6tables -I FORWARD 1 -j libvirt-in\n"
+ "/usr/sbin/ip6tables -I FORWARD 2 -j libvirt-out\n"
+ "/usr/sbin/ip6tables -I FORWARD 3 -j libvirt-in-post\n"
+ "/usr/sbin/ip6tables -I INPUT 1 -j libvirt-host-in\n"
+ "/usr/sbin/ip6tables -N FP-vnet0\n"
+ "/usr/sbin/ip6tables -N FJ-vnet0\n"
+ "/usr/sbin/ip6tables -N HJ-vnet0\n"
+ "/usr/sbin/ip6tables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
+ "/usr/sbin/ip6tables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
+ "/usr/sbin/ip6tables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "/usr/sbin/ip6tables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
+
+ /* Inserting ebtables rules */
+ "/usr/sbin/ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n",
+};
+
+
+static virNWFilterHashTablePtr
+virNWFilterCreateVarsFrom(virNWFilterHashTablePtr vars1,
+ virNWFilterHashTablePtr vars2)
+{
+ virNWFilterHashTablePtr res = virNWFilterHashTableCreate(0);
+ if (!res)
+ return NULL;
+
+ if (virNWFilterHashTablePutAll(vars1, res) < 0)
+ goto err_exit;
+
+ if (virNWFilterHashTablePutAll(vars2, res) < 0)
+ goto err_exit;
+
+ return res;
+
+ err_exit:
+ virNWFilterHashTableFree(res);
+ return NULL;
+}
+
+
+static void
+virNWFilterRuleInstFree(virNWFilterRuleInstPtr inst)
+{
+ if (!inst)
+ return;
+
+ virNWFilterHashTableFree(inst->vars);
+ VIR_FREE(inst);
+}
+
+
+static void
+virNWFilterInstReset(virNWFilterInstPtr inst)
+{
+ size_t i;
+
+ for (i = 0; i < inst->nfilters; i++)
+ virNWFilterDefFree(inst->filters[i]);
+ VIR_FREE(inst->filters);
+ inst->nfilters = 0;
+
+ for (i = 0; i < inst->nrules; i++)
+ virNWFilterRuleInstFree(inst->rules[i]);
+ inst->nrules = 0;
+ VIR_FREE(inst->rules);
+}
+
+
+static int
+virNWFilterDefToInst(const char *xml,
+ virNWFilterHashTablePtr vars,
+ virNWFilterInstPtr inst);
+
+static int
+virNWFilterRuleDefToRuleInst(virNWFilterDefPtr def,
+ virNWFilterRuleDefPtr rule,
+ virNWFilterHashTablePtr vars,
+ virNWFilterInstPtr inst)
+{
+ virNWFilterRuleInstPtr ruleinst;
+ int ret = -1;
+
+ if (VIR_ALLOC(ruleinst) < 0)
+ goto cleanup;
+
+ ruleinst->chainSuffix = def->chainsuffix;
+ ruleinst->chainPriority = def->chainPriority;
+ ruleinst->def = rule;
+ ruleinst->priority = rule->priority;
+ if (!(ruleinst->vars = virNWFilterHashTableCreate(0)))
+ goto cleanup;
+ if (virNWFilterHashTablePutAll(vars, ruleinst->vars) < 0)
+ goto cleanup;
+
+ if (VIR_APPEND_ELEMENT(inst->rules,
+ inst->nrules,
+ ruleinst) < 0)
+ goto cleanup;
+ ruleinst = NULL;
+
+ ret = 0;
+ cleanup:
+ virNWFilterRuleInstFree(ruleinst);
+ return ret;
+}
+
+
+static int
+virNWFilterIncludeDefToRuleInst(virNWFilterIncludeDefPtr inc,
+ virNWFilterHashTablePtr vars,
+ virNWFilterInstPtr inst)
+{
+ virNWFilterHashTablePtr tmpvars = NULL;
+ int ret = -1;
+ char *xml;
+
+ if (virAsprintf(&xml, "%s/nwfilterxml2firewalldata/%s.xml",
+ abs_srcdir, inc->filterref) < 0)
+ return -1;
+
+ /* create a temporary hashmap for depth-first tree traversal */
+ if (!(tmpvars = virNWFilterCreateVarsFrom(inc->params,
+ vars)))
+ goto cleanup;
+
+ if (virNWFilterDefToInst(xml,
+ tmpvars,
+ inst) < 0)
+ goto cleanup;
+
+ ret = 0;
+ cleanup:
+ if (ret < 0)
+ virNWFilterInstReset(inst);
+ virNWFilterHashTableFree(tmpvars);
+ VIR_FREE(xml);
+ return ret;
+}
+
+static int
+virNWFilterDefToInst(const char *xml,
+ virNWFilterHashTablePtr vars,
+ virNWFilterInstPtr inst)
+{
+ size_t i;
+ int ret = -1;
+ virNWFilterDefPtr def = virNWFilterDefParseFile(xml);
+
+ if (!def)
+ return -1;
+
+ if (VIR_APPEND_ELEMENT_COPY(inst->filters,
+ inst->nfilters,
+ def) < 0) {
+ virNWFilterDefFree(def);
+ goto cleanup;
+ }
+
+ for (i = 0; i < def->nentries; i++) {
+ if (def->filterEntries[i]->rule) {
+ if (virNWFilterRuleDefToRuleInst(def,
+ def->filterEntries[i]->rule,
+ vars,
+ inst) < 0)
+ goto cleanup;
+ } else if (def->filterEntries[i]->include) {
+ if (virNWFilterIncludeDefToRuleInst(def->filterEntries[i]->include,
+ vars,
+ inst) < 0)
+ goto cleanup;
+ }
+ }
+
+ ret = 0;
+ cleanup:
+ if (ret < 0)
+ virNWFilterInstReset(inst);
+ return ret;
+}
+
+
+static void testRemoveCommonRules(char *rules)
+{
+ size_t i;
+ char *offset = rules;
+
+ for (i = 0; i < ARRAY_CARDINALITY(commonRules); i++) {
+ char *tmp = strstr(offset, commonRules[i]);
+ size_t len = strlen(commonRules[i]);
+ if (tmp) {
+ memmove(tmp, tmp + len, (strlen(tmp) + 1) - len);
+ offset = tmp;
+ }
+ }
+}
+
+
+static int testSetOneParameter(virNWFilterHashTablePtr vars,
+ const char *name,
+ const char *value)
+{
+ int ret = -1;
+ virNWFilterVarValuePtr val;
+
+ if ((val = virHashLookup(vars->hashTable, name)) == NULL) {
+ val = virNWFilterVarValueCreateSimpleCopyValue(value);
+ if (!val)
+ goto cleanup;
+ if (virNWFilterHashTablePut(vars, name, val) < 0) {
+ virNWFilterVarValueFree(val);
+ goto cleanup;
+ }
+ } else {
+ if (virNWFilterVarValueAddValueCopy(val, value) < 0)
+ goto cleanup;
+ }
+ ret = 0;
+ cleanup:
+ return ret;
+}
+
+static int testSetDefaultParameters(virNWFilterHashTablePtr vars)
+{
+ if (testSetOneParameter(vars, "IPSETNAME", "tck_test") < 0 ||
+ testSetOneParameter(vars, "A", "1.1.1.1") ||
+ testSetOneParameter(vars, "A", "2.2.2.2") ||
+ testSetOneParameter(vars, "A", "3.3.3.3") ||
+ testSetOneParameter(vars, "A", "3.3.3.3") ||
+ testSetOneParameter(vars, "B", "80") ||
+ testSetOneParameter(vars, "B", "90") ||
+ testSetOneParameter(vars, "B", "80") ||
+ testSetOneParameter(vars, "B", "80") ||
+ testSetOneParameter(vars, "C", "1080") ||
+ testSetOneParameter(vars, "C", "1090") ||
+ testSetOneParameter(vars, "C", "1100") ||
+ testSetOneParameter(vars, "C", "1110"))
+ return -1;
+ return 0;
+}
+
+static int testCompareXMLToArgvFiles(const char *xml,
+ const char *cmdline)
+{
+ char *expectargv = NULL;
+ int len;
+ char *actualargv = NULL;
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ virNWFilterHashTablePtr vars = virNWFilterHashTableCreate(0);
+ virNWFilterInst inst;
+ int ret = -1;
+
+ memset(&inst, 0, sizeof(inst));
+
+ virCommandSetDryRun(&buf, NULL, NULL);
+
+ if (!vars)
+ goto cleanup;
+
+ if (testSetDefaultParameters(vars) < 0)
+ goto cleanup;
+
+ if (virNWFilterDefToInst(xml,
+ vars,
+ &inst) < 0)
+ goto cleanup;
+
+ if (ebiptables_driver.applyNewRules("vnet0", inst.rules, inst.nrules) < 0)
+ goto cleanup;
+
+ if (virBufferError(&buf))
+ goto cleanup;
+
+ actualargv = virBufferContentAndReset(&buf);
+ virCommandSetDryRun(NULL, NULL, NULL);
+
+ testRemoveCommonRules(actualargv);
+
+ len = virtTestLoadFile(cmdline, &expectargv);
+ if (len < 0)
+ goto cleanup;
+
+ if (STRNEQ(expectargv, actualargv)) {
+ virtTestDifference(stderr, expectargv, actualargv);
+ goto cleanup;
+ }
+
+ ret = 0;
+
+ cleanup:
+ virBufferFreeAndReset(&buf);
+ VIR_FREE(expectargv);
+ VIR_FREE(actualargv);
+ virNWFilterInstReset(&inst);
+ virNWFilterHashTableFree(vars);
+ return ret;
+}
+
+struct testInfo {
+ const char *name;
+};
+
+
+static int
+testCompareXMLToIPTablesHelper(const void *data)
+{
+ int result = -1;
+ const struct testInfo *info = data;
+ char *xml = NULL;
+ char *args = NULL;
+
+ if (virAsprintf(&xml, "%s/nwfilterxml2firewalldata/%s.xml",
+ abs_srcdir, info->name) < 0 ||
+ virAsprintf(&args, "%s/nwfilterxml2firewalldata/%s-%s.args",
+ abs_srcdir, info->name, RULESTYPE) < 0)
+ goto cleanup;
+
+ result = testCompareXMLToArgvFiles(xml, args);
+
+ cleanup:
+ VIR_FREE(xml);
+ VIR_FREE(args);
+ return result;
+}
+
+
+static int
+mymain(void)
+{
+ int ret = 0;
+
+ abs_top_srcdir = getenv("abs_top_srcdir");
+ if (!abs_top_srcdir)
+ abs_top_srcdir = abs_srcdir "/..";
+
+# define DO_TEST(name) \
+ do { \
+ static struct testInfo info = { \
+ name, \
+ }; \
+ if (virtTestRun("NWFilter XML-2-firewall " name, \
+ testCompareXMLToIPTablesHelper, &info) < 0) \
+ ret = -1; \
+ } while (0)
+
+ if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
+ ret = -1;
+ goto cleanup;
+ }
+
+ DO_TEST("ah");
+ DO_TEST("ah-ipv6");
+ DO_TEST("all");
+ DO_TEST("all-ipv6");
+ DO_TEST("arp");
+ DO_TEST("comment");
+ DO_TEST("conntrack");
+ DO_TEST("esp");
+ DO_TEST("esp-ipv6");
+ DO_TEST("example-1");
+ DO_TEST("example-2");
+ DO_TEST("hex-data");
+ DO_TEST("icmp-direction2");
+ DO_TEST("icmp-direction3");
+ DO_TEST("icmp-direction");
+ DO_TEST("icmp");
+ DO_TEST("icmpv6");
+ DO_TEST("igmp");
+ DO_TEST("ip");
+ DO_TEST("ipset");
+ DO_TEST("ipt-no-macspoof");
+ DO_TEST("ipv6");
+ DO_TEST("iter1");
+ DO_TEST("iter2");
+ DO_TEST("iter3");
+ DO_TEST("mac");
+ DO_TEST("rarp");
+ DO_TEST("sctp");
+ DO_TEST("sctp-ipv6");
+ DO_TEST("stp");
+ DO_TEST("target2");
+ DO_TEST("target");
+ DO_TEST("tcp");
+ DO_TEST("tcp-ipv6");
+ DO_TEST("udp");
+ DO_TEST("udp-ipv6");
+ DO_TEST("udplite");
+ DO_TEST("udplite-ipv6");
+ DO_TEST("vlan");
+
+ cleanup:
+ return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+VIRT_TEST_MAIN(mymain)
+
+#else /* ! defined (__linux__) */
+
+int main(void)
+{
+ return EXIT_AM_SKIP;
+}
+
+#endif /* ! defined (__linux__) */
--
1.9.0
More information about the libvir-list
mailing list