File revert-7431b3eb.patch of Package libvirt
commit f6c5babbbf831b9ea2fdcfc783b5fd998bf8ffdd
Author: Jim Fehlig <jfehlig@suse.com>
Date: Thu Apr 25 09:15:00 2019 -0600
Revert "util: move virtual network firwall rules into private chains"
This reverts commit 7431b3eb9a05068e4ba05d0bb236b440b33eb1ab.
See bsc#1133229
Index: libvirt-5.1.0/src/libvirt_private.syms
===================================================================
--- libvirt-5.1.0.orig/src/libvirt_private.syms
+++ libvirt-5.1.0/src/libvirt_private.syms
@@ -2087,7 +2087,6 @@ iptablesRemoveOutputFixUdpChecksum;
iptablesRemoveTcpInput;
iptablesRemoveUdpInput;
iptablesRemoveUdpOutput;
-iptablesSetDeletePrivate;
iptablesSetupPrivateChains;
Index: libvirt-5.1.0/src/network/bridge_driver_linux.c
===================================================================
--- libvirt-5.1.0.orig/src/network/bridge_driver_linux.c
+++ libvirt-5.1.0/src/network/bridge_driver_linux.c
@@ -35,35 +35,17 @@ VIR_LOG_INIT("network.bridge_driver_linu
#define PROC_NET_ROUTE "/proc/net/route"
-int networkPreReloadFirewallRules(bool startup)
+int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
{
int ret = iptablesSetupPrivateChains();
if (ret < 0)
return -1;
-
- /*
- * If this is initial startup, and we just created the
- * top level private chains we either
- *
- * - upgraded from old libvirt
- * - freshly booted from clean state
- *
- * In the first case we must delete the old rules from
- * the built-in chains, instead of our new private chains.
- * In the second case it doesn't matter, since no existing
- * rules will be present. Thus we can safely just tell it
- * to always delete from the builin chain
- */
- if (startup && ret == 1)
- iptablesSetDeletePrivate(false);
-
return 0;
}
void networkPostReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
{
- iptablesSetDeletePrivate(true);
}
Index: libvirt-5.1.0/src/util/viriptables.c
===================================================================
--- libvirt-5.1.0.orig/src/util/viriptables.c
+++ libvirt-5.1.0/src/util/viriptables.c
@@ -48,7 +48,6 @@ enum {
REMOVE
};
-static bool deletePrivate = true;
typedef struct {
const char *parent;
@@ -180,17 +179,9 @@ iptablesSetupPrivateChains(void)
}
-void
-iptablesSetDeletePrivate(bool pvt)
-{
- deletePrivate = pvt;
-}
-
-
static void
iptablesInput(virFirewallPtr fw,
virFirewallLayer layer,
- bool pvt,
const char *iface,
int port,
int action,
@@ -203,8 +194,7 @@ iptablesInput(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_INP" : "INPUT",
+ action == ADD ? "--insert" : "--delete", "INPUT",
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -215,7 +205,6 @@ iptablesInput(virFirewallPtr fw,
static void
iptablesOutput(virFirewallPtr fw,
virFirewallLayer layer,
- bool pvt,
const char *iface,
int port,
int action,
@@ -228,8 +217,7 @@ iptablesOutput(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_OUT" : "OUTPUT",
+ action == ADD ? "--insert" : "--delete", "OUTPUT",
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -252,7 +240,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, true, iface, port, ADD, 1);
+ iptablesInput(fw, layer, iface, port, ADD, 1);
}
/**
@@ -270,7 +258,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw
const char *iface,
int port)
{
- iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 1);
+ iptablesInput(fw, layer, iface, port, REMOVE, 1);
}
/**
@@ -288,7 +276,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, true, iface, port, ADD, 0);
+ iptablesInput(fw, layer, iface, port, ADD, 0);
}
/**
@@ -306,7 +294,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw
const char *iface,
int port)
{
- iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
+ return iptablesInput(fw, layer, iface, port, REMOVE, 0);
}
/**
@@ -324,7 +312,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, true, iface, port, ADD, 0);
+ iptablesOutput(fw, layer, iface, port, ADD, 0);
}
/**
@@ -342,7 +330,7 @@ iptablesRemoveUdpOutput(virFirewallPtr f
const char *iface,
int port)
{
- iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
+ iptablesOutput(fw, layer, iface, port, REMOVE, 0);
}
@@ -382,7 +370,6 @@ static char *iptablesFormatNetwork(virSo
*/
static int
iptablesForwardAllowOut(virFirewallPtr fw,
- bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -399,8 +386,7 @@ iptablesForwardAllowOut(virFirewallPtr f
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWO" : "FORWARD",
+ action == ADD ? "--insert" : "--delete", "FORWARD",
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
@@ -409,8 +395,7 @@ iptablesForwardAllowOut(virFirewallPtr f
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWO" : "FORWARD",
+ action == ADD ? "--insert" : "--delete", "FORWARD",
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
@@ -439,7 +424,7 @@ iptablesAddForwardAllowOut(virFirewallPt
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, true, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -462,7 +447,7 @@ iptablesRemoveForwardAllowOut(virFirewal
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE);
}
@@ -471,7 +456,6 @@ iptablesRemoveForwardAllowOut(virFirewal
*/
static int
iptablesForwardAllowRelatedIn(virFirewallPtr fw,
- bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -488,8 +472,7 @@ iptablesForwardAllowRelatedIn(virFirewal
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWI" : "FORWARD",
+ action == ADD ? "--insert" : "--delete", "FORWARD",
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -500,8 +483,7 @@ iptablesForwardAllowRelatedIn(virFirewal
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWI" : "FORWARD",
+ action == ADD ? "--insert" : "--delete", "FORWARD",
"--destination", networkstr,
"--out-interface", iface,
"--match", "conntrack",
@@ -532,7 +514,7 @@ iptablesAddForwardAllowRelatedIn(virFire
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, true, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -555,14 +537,13 @@ iptablesRemoveForwardAllowRelatedIn(virF
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
*/
static int
iptablesForwardAllowIn(virFirewallPtr fw,
- bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -579,8 +560,7 @@ iptablesForwardAllowIn(virFirewallPtr fw
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWI" : "FORWARD",
+ action == ADD ? "--insert" : "--delete", "FORWARD",
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -589,8 +569,7 @@ iptablesForwardAllowIn(virFirewallPtr fw
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWI" : "FORWARD",
+ action == ADD ? "--insert" : "--delete", "FORWARD",
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -618,7 +597,7 @@ iptablesAddForwardAllowIn(virFirewallPtr
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, true, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -641,20 +620,18 @@ iptablesRemoveForwardAllowIn(virFirewall
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
}
static void
iptablesForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
- bool pvt,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWX" : "FORWARD",
+ action == ADD ? "--insert" : "--delete", "FORWARD",
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -677,7 +654,7 @@ iptablesAddForwardAllowCross(virFirewall
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, true, iface, ADD);
+ iptablesForwardAllowCross(fw, layer, iface, ADD);
}
/**
@@ -696,20 +673,18 @@ iptablesRemoveForwardAllowCross(virFirew
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, deletePrivate, iface, REMOVE);
+ iptablesForwardAllowCross(fw, layer, iface, REMOVE);
}
static void
iptablesForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
- bool pvt,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWO" : "FORWARD",
+ action == ADD ? "--insert" : "delete", "FORWARD",
"--in-interface", iface,
"--jump", "REJECT",
NULL);
@@ -730,7 +705,7 @@ iptablesAddForwardRejectOut(virFirewallP
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, true, iface, ADD);
+ iptablesForwardRejectOut(fw, layer, iface, ADD);
}
/**
@@ -748,21 +723,19 @@ iptablesRemoveForwardRejectOut(virFirewa
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, deletePrivate, iface, REMOVE);
+ iptablesForwardRejectOut(fw, layer, iface, REMOVE);
}
static void
iptablesForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
- bool pvt,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWI" : "FORWARD",
+ action == ADD ? "--insert" : "--delete", "FORWARD",
"--out-interface", iface,
"--jump", "REJECT",
NULL);
@@ -783,7 +756,7 @@ iptablesAddForwardRejectIn(virFirewallPt
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, true, iface, ADD);
+ iptablesForwardRejectIn(fw, layer, iface, ADD);
}
/**
@@ -801,7 +774,7 @@ iptablesRemoveForwardRejectIn(virFirewal
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, deletePrivate, iface, REMOVE);
+ iptablesForwardRejectIn(fw, layer, iface, REMOVE);
}
@@ -810,7 +783,6 @@ iptablesRemoveForwardRejectIn(virFirewal
*/
static int
iptablesForwardMasquerade(virFirewallPtr fw,
- bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -849,8 +821,7 @@ iptablesForwardMasquerade(virFirewallPtr
if (protocol && protocol[0]) {
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+ action == ADD ? "--insert" : "--delete", "POSTROUTING",
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
@@ -858,8 +829,7 @@ iptablesForwardMasquerade(virFirewallPtr
} else {
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+ action == ADD ? "--insert" : "--delete", "POSTROUTING",
"--source", networkstr,
"!", "--destination", networkstr,
NULL);
@@ -937,8 +907,8 @@ iptablesAddForwardMasquerade(virFirewall
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, true, netaddr, prefix,
- physdev, addr, port, protocol, ADD);
+ return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
+ protocol, ADD);
}
/**
@@ -963,8 +933,8 @@ iptablesRemoveForwardMasquerade(virFirew
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, deletePrivate, netaddr, prefix,
- physdev, addr, port, protocol, REMOVE);
+ return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
+ protocol, REMOVE);
}
@@ -973,7 +943,6 @@ iptablesRemoveForwardMasquerade(virFirew
*/
static int
iptablesForwardDontMasquerade(virFirewallPtr fw,
- bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -996,8 +965,7 @@ iptablesForwardDontMasquerade(virFirewal
if (physdev && physdev[0])
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+ action == ADD ? "--insert" : "--delete", "POSTROUTING",
"--out-interface", physdev,
"--source", networkstr,
"--destination", destaddr,
@@ -1006,8 +974,7 @@ iptablesForwardDontMasquerade(virFirewal
else
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+ action == ADD ? "--insert" : "--delete", "POSTROUTING",
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
@@ -1037,8 +1004,8 @@ iptablesAddDontMasquerade(virFirewallPtr
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, true, netaddr, prefix,
- physdev, destaddr, ADD);
+ return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
+ ADD);
}
/**
@@ -1062,14 +1029,13 @@ iptablesRemoveDontMasquerade(virFirewall
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, deletePrivate, netaddr, prefix,
- physdev, destaddr, REMOVE);
+ return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
+ REMOVE);
}
static void
iptablesOutputFixUdpChecksum(virFirewallPtr fw,
- bool pvt,
const char *iface,
int port,
int action)
@@ -1081,8 +1047,7 @@ iptablesOutputFixUdpChecksum(virFirewall
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
- action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+ action == ADD ? "--insert" : "--delete", "POSTROUTING",
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,
@@ -1106,7 +1071,7 @@ iptablesAddOutputFixUdpChecksum(virFirew
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, true, iface, port, ADD);
+ iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
}
/**
@@ -1123,5 +1088,5 @@ iptablesRemoveOutputFixUdpChecksum(virFi
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, deletePrivate, iface, port, REMOVE);
+ iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
}
Index: libvirt-5.1.0/src/util/viriptables.h
===================================================================
--- libvirt-5.1.0.orig/src/util/viriptables.h
+++ libvirt-5.1.0/src/util/viriptables.h
@@ -26,8 +26,6 @@
int iptablesSetupPrivateChains (void);
-void iptablesSetDeletePrivate (bool pvt);
-
void iptablesAddTcpInput (virFirewallPtr fw,
virFirewallLayer layer,
const char *iface,
Index: libvirt-5.1.0/tests/networkxml2firewalldata/nat-default-linux.args
===================================================================
--- libvirt-5.1.0.orig/tests/networkxml2firewalldata/nat-default-linux.args
+++ libvirt-5.1.0/tests/networkxml2firewalldata/nat-default-linux.args
@@ -1,63 +1,63 @@
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_OUT \
+--insert OUTPUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -65,13 +65,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -79,7 +79,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -87,19 +87,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
Index: libvirt-5.1.0/tests/networkxml2firewalldata/nat-ipv6-linux.args
===================================================================
--- libvirt-5.1.0.orig/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ libvirt-5.1.0/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -1,100 +1,100 @@
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_OUT \
+--insert OUTPUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -102,13 +102,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -116,7 +116,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -124,31 +124,31 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
Index: libvirt-5.1.0/tests/networkxml2firewalldata/nat-many-ips-linux.args
===================================================================
--- libvirt-5.1.0.orig/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ libvirt-5.1.0/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -1,63 +1,63 @@
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_OUT \
+--insert OUTPUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -65,13 +65,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -79,7 +79,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -87,25 +87,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--source 192.168.128.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--destination 192.168.128.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -113,13 +113,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.128.0/24 '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.128.0/24 \
-p udp '!' \
--destination 192.168.128.0/24 \
@@ -127,7 +127,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.128.0/24 \
-p tcp '!' \
--destination 192.168.128.0/24 \
@@ -135,25 +135,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.128.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.128.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--source 192.168.150.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--destination 192.168.150.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -161,13 +161,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.150.0/24 '!' \
--destination 192.168.150.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.150.0/24 \
-p udp '!' \
--destination 192.168.150.0/24 \
@@ -175,7 +175,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.150.0/24 \
-p tcp '!' \
--destination 192.168.150.0/24 \
@@ -183,19 +183,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.150.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.150.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
Index: libvirt-5.1.0/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
===================================================================
--- libvirt-5.1.0.orig/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ libvirt-5.1.0/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -1,100 +1,100 @@
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_OUT \
+--insert OUTPUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -102,13 +102,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -116,7 +116,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -124,25 +124,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
Index: libvirt-5.1.0/tests/networkxml2firewalldata/nat-tftp-linux.args
===================================================================
--- libvirt-5.1.0.orig/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ libvirt-5.1.0/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -1,70 +1,70 @@
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_OUT \
+--insert OUTPUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 69 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -72,13 +72,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -86,7 +86,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -94,19 +94,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
Index: libvirt-5.1.0/tests/networkxml2firewalldata/route-default-linux.args
===================================================================
--- libvirt-5.1.0.orig/tests/networkxml2firewalldata/route-default-linux.args
+++ libvirt-5.1.0/tests/networkxml2firewalldata/route-default-linux.args
@@ -1,69 +1,69 @@
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_OUT \
+--insert OUTPUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
