[libvirt] [PATCH] Remove illegal values in nwfilter test XML/firewall files
Daniel P. Berrange
berrange at redhat.com
Thu Mar 27 11:44:32 UTC 2014
A number of the nwfilter XML files have attribute values
which are out of range. Previously the libvirt nwfilter
XML parser would silently ignore illegal values, causing
them to default to 0. This resulted in creating incorrect
iptables rules, which the TCK suite then validated as
correct. Current libvirt returns a hard error for illegal
XML values. To address this we either change the attribute
values to be valid, or delete the bogus rules entirely if
they are duplicates of other existing valid rules.
Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
---
scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall | 1 -
scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall | 3 ---
scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall | 4 +---
scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall | 4 +---
scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall | 1 -
scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall | 1 -
scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/vlan-test.fwall | 1 -
scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml | 2 +-
scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml | 2 +-
scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml | 5 -----
scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml | 2 +-
scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml | 2 +-
scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml | 2 +-
scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml | 5 -----
scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml | 4 ++--
scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml | 8 +-------
scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml | 2 +-
scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml | 4 ----
scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml | 5 -----
scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml | 4 ++--
scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml | 2 +-
scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml | 4 ++--
scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml | 2 +-
scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml | 6 +++---
scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml | 2 +-
scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml | 2 +-
scripts/nwfilter/nwfilterxml2xmlin/vlan-test.xml | 7 -------
30 files changed, 31 insertions(+), 74 deletions(-)
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall
index 6ff4eb9..34174a0 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall
@@ -3,7 +3,6 @@
-p ARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT
-p ARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT
-p ARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT
--p ARP -s 1:2:3:4:5:6 -j ACCEPT
#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
-p ARP --arp-gratuitous -j ACCEPT
#ebtables -t nat -L PREROUTING | grep vnet0
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
index 6ef30a5..842f3bb 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
@@ -31,21 +31,21 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 --p
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL/* tcp/ipv6 rule */
+RETURN tcp ::/0 a:b:c::/128 DSCP match 0x39 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL/* tcp/ipv6 rule */
RETURN udp ::/0 ::/0 state ESTABLISHED ctdir ORIGINAL/* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */
RETURN sctp ::/0 ::/0 state ESTABLISHED ctdir ORIGINAL/* comment with lone ', `, ", `, \, $x, and two spaces */
RETURN ah ::/0 ::/0 state ESTABLISHED ctdir ORIGINAL/* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY/* tcp/ipv6 rule */
+ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x39 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY/* tcp/ipv6 rule */
ACCEPT udp ::/0 ::/0 state NEW,ESTABLISHED ctdir REPLY/* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */
ACCEPT sctp ::/0 ::/0 state NEW,ESTABLISHED ctdir REPLY/* comment with lone ', `, ", `, \, $x, and two spaces */
ACCEPT ah ::/0 ::/0 state NEW,ESTABLISHED ctdir REPLY/* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL/* tcp/ipv6 rule */
+RETURN tcp ::/0 a:b:c::/128 DSCP match 0x39 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL/* tcp/ipv6 rule */
RETURN udp ::/0 ::/0 state ESTABLISHED ctdir ORIGINAL/* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */
RETURN sctp ::/0 ::/0 state ESTABLISHED ctdir ORIGINAL/* comment with lone ', `, ", `, \, $x, and two spaces */
RETURN ah ::/0 ::/0 state ESTABLISHED ctdir ORIGINAL/* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
index 66b0b71..2ed979e 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
@@ -31,15 +31,15 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 --p
#ip6tables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
+RETURN tcp ::/0 a:b:c::/128 DSCP match 0x39 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
-ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x39 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
-RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
+RETURN tcp ::/0 a:b:c::/128 DSCP match 0x39 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0
#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
index e5f84e5..afdd95b 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
@@ -2,17 +2,14 @@
Chain FI-vnet0 (1 references)
target prot opt source destination
RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED
-RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21icmp type 255 code 255 state NEW,ESTABLISHED
-ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED
-RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
index ed8eee0..4749f84 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
@@ -2,17 +2,15 @@
Chain FI-vnet0 (1 references)
target prot opt source destination
RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED
-RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
ACCEPT icmpv6 a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21ipv6-icmp type 255 code 255 state NEW,ESTABLISHED
-ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21ipv6-icmp type 255 code 255 state NEW,ESTABLISHED
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED
-RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall
index f3cd49b..dbd6497 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall
@@ -5,8 +5,6 @@
#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$"
-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-proto udp --ip-sport 20:22 --ip-dport 100:101 -j ACCEPT
-p IPv4 --ip-src 10.1.0.0/17 --ip-dst 10.1.2.0/24 --ip-tos 0x3F --ip-proto udp -j ACCEPT
--p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.3 -j ACCEPT
#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
--p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.0/25 --ip-proto 255 -j ACCEPT
--p IPv4 --ip-src 10.1.2.3 --ip-dst 10.1.2.2/31 -j ACCEPT
+-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.0/25 --ip-tos 0x3F --ip-proto 255 -j ACCEPT
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall
index 2dd7952..bb00629 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall
@@ -7,6 +7,5 @@
#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
-p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT
-p 0x600 -d aa:bb:cc:dd:ee:ff -j ACCEPT
--d aa:bb:cc:dd:ee:ff -j ACCEPT
-p 0xffff -d aa:bb:cc:dd:ee:ff -j ACCEPT
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall
index 77d9806..e0d9c8c 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall
@@ -3,7 +3,6 @@
-p RARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT
-p RARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT
-p RARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT
--p RARP -s 1:2:3:4:5:6 -j ACCEPT
#ebtables -t nat -L PREROUTING | grep vnet0
-i vnet0 -j libvirt-I-vnet0
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
index dd7b19c..0a75421 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
@@ -2,19 +2,19 @@
Chain FI-vnet0 (1 references)
target prot opt source destination
RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
-RETURN udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN udp ::/0 ::a:b:c/128 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
-ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT udp ::a:b:c/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
-RETURN udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN udp ::/0 ::a:b:c/128 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1 libvirt-host-in all ::/0 ::/0
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/vlan-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/vlan-test.fwall
index 603f470..a2fbfd3 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/vlan-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/vlan-test.fwall
@@ -7,7 +7,6 @@
-p 802_1Q -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --vlan-id 291 -j CONTINUE
-p 802_1Q -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --vlan-id 1234 -j RETURN
-p 802_1Q -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --vlan-id 291 -j DROP
--p 802_1Q -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff -j ACCEPT
#ebtables -t nat -L PREROUTING | grep vnet0
-i vnet0 -j libvirt-I-vnet0
#ebtables -t nat -L POSTROUTING | grep vnet0
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml
index 07d1ffe..95ebbc9 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml
@@ -13,7 +13,7 @@
</rule>
<rule action='accept' direction='in'>
<ah-ipv6 srcmacaddr='1:2:3:4:5:6'
- srcipaddr='::10.1.2.3' srcipmask='129'
+ srcipaddr='::10.1.2.3' srcipmask='128'
dscp='33'/>
</rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml
index eb39bc3..5cf3519 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml
@@ -13,7 +13,7 @@
</rule>
<rule action='accept' direction='in'>
<all-ipv6 srcmacaddr='1:2:3:4:5:6'
- srcipaddr='::10.1.2.3' srcipmask='129'
+ srcipaddr='::10.1.2.3' srcipmask='128'
dscp='33'/>
</rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml
index 2e08b32..d0abf94 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml
@@ -26,11 +26,6 @@
opcode='65535' hwtype='65535' protocoltype='65535' />
</rule>
- <rule action='accept' direction='out'>
- <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
- opcode='65536' hwtype='65536' protocoltype='65536' />
- </rule>
-
<rule action='accept' direction='in'>
<arp gratuitous='true'/>
</rule>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml
index af5c5cc..a154a17 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/comment-test.xml
@@ -50,7 +50,7 @@
<rule action='accept' direction='in'>
<tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='a:b:c::' srcipmask='128'
- dscp='0x40'
+ dscp='0x39'
srcportstart='0x20' srcportend='0x21'
dstportstart='0x100' dstportend='0x1111'
comment='tcp/ipv6 rule'/>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml
index 4dd9b98..295d0f9 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml
@@ -13,7 +13,7 @@
</rule>
<rule action='accept' direction='in'>
<esp-ipv6 srcmacaddr='1:2:3:4:5:6'
- srcipaddr='::10.1.2.3' srcipmask='129'
+ srcipaddr='::10.1.2.3' srcipmask='128'
dscp='33'/>
</rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml
index d2da079..45df451 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml
@@ -48,7 +48,7 @@
<rule action='accept' direction='in'>
<tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
srcipaddr='a:b:c::' srcipmask='128'
- dscp='0x40'
+ dscp='0x39'
srcportstart='0x20' srcportend='0x21'
dstportstart='0x100' dstportend='0x1111'/>
</rule>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml
index 90f852b..fff5d42 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml
@@ -10,9 +10,4 @@
srcipaddr='10.1.2.3' srcipmask='22'
dscp='33' type='255' code='255'/>
</rule>
- <rule action='accept' direction='in'>
- <icmp srcmacaddr='1:2:3:4:5:6'
- srcipaddr='10.1.2.3' srcipmask='22'
- dscp='33' type='256' code='256'/>
- </rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml
index 01dc6e2..9d24826 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml
@@ -13,7 +13,7 @@
</rule>
<rule action='accept' direction='in'>
<icmpv6 srcmacaddr='1:2:3:4:5:6'
- srcipaddr='::10.1.2.3' srcipmask='129'
- dscp='33' type='256' code='256'/>
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='33' type='255' code='255'/>
</rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml
index 0a744a2..da362a1 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml
@@ -21,14 +21,8 @@
<rule action='accept' direction='in'>
<ip srcipaddr='10.1.2.3' srcipmask='255.255.255.254'
dstipaddr='10.1.2.3' dstipmask='255.255.255.128'
- protocol='255' dscp='64'
+ protocol='255' dscp='63'
/>
</rule>
- <rule action='accept' direction='inout'>
- <ip srcipaddr='10.1.2.3' srcipmask='255.255.255.127'
- dstipaddr='10.1.2.3' dstipmask='255.255.255.254'
- protocol='256' dscp='64'
- />
- </rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml
index 7fa7181..9f67bea 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml
@@ -28,7 +28,7 @@
dstipmask='ffff:ffff:ffff:ffff:8000::'
protocol='6'
srcportstart='255' srcportend='256'
- dstportstart='65535' dstportend='65536'
+ dstportstart='65535' dstportend='65535'
/>
</rule>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml
index 8f9565c..2aec935 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml
@@ -14,10 +14,6 @@
</rule>
<rule action='accept' direction='in'>
<mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
- protocolid='15'/>
- </rule>
- <rule action='accept' direction='in'>
- <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
protocolid='65535'/>
</rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml
index 7b99df0..77c1127 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml
@@ -25,9 +25,4 @@
<rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
opcode='65535' hwtype='65535' protocoltype='65535' />
</rule>
-
- <rule action='accept' direction='out'>
- <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
- opcode='65536' hwtype='65536' protocoltype='65536' />
- </rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml
index 99bf349..d1a57b8 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml
@@ -14,9 +14,9 @@
</rule>
<rule action='accept' direction='in'>
<sctp-ipv6 srcmacaddr='1:2:3:4:5:6'
- srcipaddr='::10.1.2.3' srcipmask='129'
+ srcipaddr='::10.1.2.3' srcipmask='128'
dscp='63'
srcportstart='255' srcportend='256'
- dstportstart='65535' dstportend='65536'/>
+ dstportstart='65535' dstportend='65535'/>
</rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml
index c2f635b..c3c1000 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml
@@ -17,6 +17,6 @@
srcipaddr='10.1.2.3' srcipmask='32'
dscp='63'
srcportstart='255' srcportend='256'
- dstportstart='65535' dstportend='65536'/>
+ dstportstart='65535' dstportend='65535'/>
</rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml
index ecc1d30..d4f24f4 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml
@@ -14,9 +14,9 @@
</rule>
<rule action='accept' direction='in'>
<tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
- srcipaddr='::10.1.2.3' srcipmask='129'
+ srcipaddr='::10.1.2.3' srcipmask='128'
dscp='63'
srcportstart='255' srcportend='256'
- dstportstart='65535' dstportend='65536'/>
+ dstportstart='65535' dstportend='65535'/>
</rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml
index fc77683..14ebd35 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml
@@ -17,7 +17,7 @@
srcipaddr='10.1.2.3' srcipmask='32'
dscp='63'
srcportstart='255' srcportend='256'
- dstportstart='65535' dstportend='65536'/>
+ dstportstart='65535' dstportend='65535'/>
</rule>
<rule action='accept' direction='in'>
<tcp state='NONE' flags='SYN/ALL'/>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml
index e8c6ba6..fd4f135 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml
@@ -7,16 +7,16 @@
</rule>
<rule action='accept' direction='in'>
<udp-ipv6 srcmacaddr='1:2:3:4:5:6'
- srcipaddr='a:b:c' srcipmask='128'
+ srcipaddr='::a:b:c' srcipmask='128'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
<rule action='accept' direction='in'>
<udp-ipv6 srcmacaddr='1:2:3:4:5:6'
- srcipaddr='::10.1.2.3' srcipmask='129'
+ srcipaddr='::10.1.2.3' srcipmask='128'
dscp='63'
srcportstart='255' srcportend='256'
- dstportstart='65535' dstportend='65536'/>
+ dstportstart='65535' dstportend='65535'/>
</rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml
index 10ce53d..359dfa2 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml
@@ -17,6 +17,6 @@
srcipaddr='10.1.2.3' srcipmask='32'
dscp='63'
srcportstart='255' srcportend='256'
- dstportstart='65535' dstportend='65536'/>
+ dstportstart='65535' dstportend='65535'/>
</rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml
index 0763a7d..5b941a2 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml
@@ -13,7 +13,7 @@
</rule>
<rule action='accept' direction='in'>
<udplite-ipv6 srcmacaddr='1:2:3:4:5:6'
- srcipaddr='::10.1.2.3' srcipmask='129'
+ srcipaddr='::10.1.2.3' srcipmask='128'
dscp='33'/>
</rule>
</filter>
diff --git a/scripts/nwfilter/nwfilterxml2xmlin/vlan-test.xml b/scripts/nwfilter/nwfilterxml2xmlin/vlan-test.xml
index 65ee04b..a5e7b38 100644
--- a/scripts/nwfilter/nwfilterxml2xmlin/vlan-test.xml
+++ b/scripts/nwfilter/nwfilterxml2xmlin/vlan-test.xml
@@ -21,13 +21,6 @@
/>
</rule>
- <rule action='accept' direction='in'>
- <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
- dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
- vlanid='0xffff'
- />
- </rule>
-
<rule action='drop' direction='out'>
<vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
--
1.8.5.3
More information about the libvir-list
mailing list