virFirewallSetLockOverride(bool avoid)
{
lockOverride = avoid;
+ if (avoid) {
+ /* add the lock option to all commands */
+ iptablesUseLock = true;
+ ip6tablesUseLock = true;
+ ebtablesUseLock = true;
+ }
}
static void
iptables \
+-w \
--table filter \
--list-rules
iptables \
+-w \
--table nat \
--list-rules
iptables \
+-w \
--table mangle \
--list-rules
iptables \
+-w \
--table filter \
--new-chain LIBVIRT_INP
iptables \
+-w \
--table filter \
--insert INPUT \
--jump LIBVIRT_INP
iptables \
+-w \
--table filter \
--new-chain LIBVIRT_OUT
iptables \
+-w \
--table filter \
--insert OUTPUT \
--jump LIBVIRT_OUT
iptables \
+-w \
--table filter \
--new-chain LIBVIRT_FWO
iptables \
+-w \
--table filter \
--insert FORWARD \
--jump LIBVIRT_FWO
iptables \
+-w \
--table filter \
--new-chain LIBVIRT_FWI
iptables \
+-w \
--table filter \
--insert FORWARD \
--jump LIBVIRT_FWI
iptables \
+-w \
--table filter \
--new-chain LIBVIRT_FWX
iptables \
+-w \
--table filter \
--insert FORWARD \
--jump LIBVIRT_FWX
iptables \
+-w \
--table nat \
--new-chain LIBVIRT_PRT
iptables \
+-w \
--table nat \
--insert POSTROUTING \
--jump LIBVIRT_PRT
iptables \
+-w \
--table mangle \
--new-chain LIBVIRT_PRT
iptables \
+-w \
--table mangle \
--insert POSTROUTING \
--jump LIBVIRT_PRT
ip6tables \
+-w \
--table filter \
--list-rules
ip6tables \
+-w \
--table nat \
--list-rules
ip6tables \
+-w \
--table mangle \
--list-rules
ip6tables \
+-w \
--table filter \
--new-chain LIBVIRT_INP
ip6tables \
+-w \
--table filter \
--insert INPUT \
--jump LIBVIRT_INP
ip6tables \
+-w \
--table filter \
--new-chain LIBVIRT_OUT
ip6tables \
+-w \
--table filter \
--insert OUTPUT \
--jump LIBVIRT_OUT
ip6tables \
+-w \
--table filter \
--new-chain LIBVIRT_FWO
ip6tables \
+-w \
--table filter \
--insert FORWARD \
--jump LIBVIRT_FWO
ip6tables \
+-w \
--table filter \
--new-chain LIBVIRT_FWI
ip6tables \
+-w \
--table filter \
--insert FORWARD \
--jump LIBVIRT_FWI
ip6tables \
+-w \
--table filter \
--new-chain LIBVIRT_FWX
ip6tables \
+-w \
--table filter \
--insert FORWARD \
--jump LIBVIRT_FWX
ip6tables \
+-w \
--table nat \
--new-chain LIBVIRT_PRT
ip6tables \
+-w \
--table nat \
--insert POSTROUTING \
--jump LIBVIRT_PRT
ip6tables \
+-w \
--table mangle \
--new-chain LIBVIRT_PRT
ip6tables \
+-w \
--table mangle \
--insert POSTROUTING \
--jump LIBVIRT_PRT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
+-w \
--table mangle \
--insert LIBVIRT_PRT \
--out-interface virbr0 \
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 547 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 546 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table mangle \
--insert LIBVIRT_PRT \
--out-interface virbr0 \
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 547 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 546 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 2001:db8:ca2:2::/64 \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
ip6tables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 2001:db8:ca2:2::/64 '!' \
--destination 2001:db8:ca2:2::/64 \
--jump MASQUERADE
ip6tables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 2001:db8:ca2:2::/64 \
--jump MASQUERADE \
--to-ports 1024-65535
ip6tables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 2001:db8:ca2:2::/64 \
--jump MASQUERADE \
--to-ports 1024-65535
ip6tables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 2001:db8:ca2:2::/64 \
--destination ff02::/16 \
--jump RETURN
iptables \
+-w \
--table mangle \
--insert LIBVIRT_PRT \
--out-interface virbr0 \
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.128.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.128.0/24 \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.150.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.150.0/24 \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.150.0/24 '!' \
--destination 192.168.150.0/24 \
--jump MASQUERADE
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.150.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.150.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.150.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.150.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
+-w \
--table mangle \
--insert LIBVIRT_PRT \
--out-interface virbr0 \
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 547 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 546 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 2001:db8:ca2:2::/64 \
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 69 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 69 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
+-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
+-w \
--table mangle \
--insert LIBVIRT_PRT \
--out-interface virbr0 \
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 67 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 68 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--destination-port 53 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
+-w \
--table mangle \
--insert LIBVIRT_PRT \
--out-interface virbr0 \
#define VIR_NWFILTER_NEW_RULES_TEARDOWN \
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
- "iptables -F FP-vnet0\n" \
- "iptables -X FP-vnet0\n" \
- "iptables -F FJ-vnet0\n" \
- "iptables -X FJ-vnet0\n" \
- "iptables -F HJ-vnet0\n" \
- "iptables -X HJ-vnet0\n" \
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
- "ip6tables -F FP-vnet0\n" \
- "ip6tables -X FP-vnet0\n" \
- "ip6tables -F FJ-vnet0\n" \
- "ip6tables -X FJ-vnet0\n" \
- "ip6tables -F HJ-vnet0\n" \
- "ip6tables -X HJ-vnet0\n" \
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n" \
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" \
- "ebtables -t nat -L libvirt-J-vnet0\n" \
- "ebtables -t nat -L libvirt-P-vnet0\n" \
- "ebtables -t nat -F libvirt-J-vnet0\n" \
- "ebtables -t nat -X libvirt-J-vnet0\n" \
- "ebtables -t nat -F libvirt-P-vnet0\n" \
- "ebtables -t nat -X libvirt-P-vnet0\n"
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
+ "iptables -w -F FP-vnet0\n" \
+ "iptables -w -X FP-vnet0\n" \
+ "iptables -w -F FJ-vnet0\n" \
+ "iptables -w -X FJ-vnet0\n" \
+ "iptables -w -F HJ-vnet0\n" \
+ "iptables -w -X HJ-vnet0\n" \
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
+ "ip6tables -w -F FP-vnet0\n" \
+ "ip6tables -w -X FP-vnet0\n" \
+ "ip6tables -w -F FJ-vnet0\n" \
+ "ip6tables -w -X FJ-vnet0\n" \
+ "ip6tables -w -F HJ-vnet0\n" \
+ "ip6tables -w -X HJ-vnet0\n" \
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n" \
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" \
+ "ebtables --concurrent -t nat -L libvirt-J-vnet0\n" \
+ "ebtables --concurrent -t nat -L libvirt-P-vnet0\n" \
+ "ebtables --concurrent -t nat -F libvirt-J-vnet0\n" \
+ "ebtables --concurrent -t nat -X libvirt-J-vnet0\n" \
+ "ebtables --concurrent -t nat -F libvirt-P-vnet0\n" \
+ "ebtables --concurrent -t nat -X libvirt-P-vnet0\n"
static int
testNWFilterEBIPTablesAllTeardown(const void *opaque G_GNUC_UNUSED)
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
- "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
- "iptables -F FO-vnet0\n"
- "iptables -X FO-vnet0\n"
- "iptables -F FI-vnet0\n"
- "iptables -X FI-vnet0\n"
- "iptables -F HI-vnet0\n"
- "iptables -X HI-vnet0\n"
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
- "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
- "ip6tables -F FO-vnet0\n"
- "ip6tables -X FO-vnet0\n"
- "ip6tables -F FI-vnet0\n"
- "ip6tables -X FI-vnet0\n"
- "ip6tables -F HI-vnet0\n"
- "ip6tables -X HI-vnet0\n"
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
- "ebtables -t nat -L libvirt-I-vnet0\n"
- "ebtables -t nat -L libvirt-O-vnet0\n"
- "ebtables -t nat -F libvirt-I-vnet0\n"
- "ebtables -t nat -X libvirt-I-vnet0\n"
- "ebtables -t nat -F libvirt-O-vnet0\n"
- "ebtables -t nat -X libvirt-O-vnet0\n";
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+ "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "iptables -w -F FO-vnet0\n"
+ "iptables -w -X FO-vnet0\n"
+ "iptables -w -F FI-vnet0\n"
+ "iptables -w -X FI-vnet0\n"
+ "iptables -w -F HI-vnet0\n"
+ "iptables -w -X HI-vnet0\n"
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+ "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "ip6tables -w -F FO-vnet0\n"
+ "ip6tables -w -X FO-vnet0\n"
+ "ip6tables -w -F FI-vnet0\n"
+ "ip6tables -w -X FI-vnet0\n"
+ "ip6tables -w -F HI-vnet0\n"
+ "ip6tables -w -X HI-vnet0\n"
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-O-vnet0\n";
char *actual = NULL;
int ret = -1;
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
- "iptables -F FO-vnet0\n"
- "iptables -X FO-vnet0\n"
- "iptables -F FI-vnet0\n"
- "iptables -X FI-vnet0\n"
- "iptables -F HI-vnet0\n"
- "iptables -X HI-vnet0\n"
- "iptables -E FP-vnet0 FO-vnet0\n"
- "iptables -E FJ-vnet0 FI-vnet0\n"
- "iptables -E HJ-vnet0 HI-vnet0\n"
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
- "ip6tables -F FO-vnet0\n"
- "ip6tables -X FO-vnet0\n"
- "ip6tables -F FI-vnet0\n"
- "ip6tables -X FI-vnet0\n"
- "ip6tables -F HI-vnet0\n"
- "ip6tables -X HI-vnet0\n"
- "ip6tables -E FP-vnet0 FO-vnet0\n"
- "ip6tables -E FJ-vnet0 FI-vnet0\n"
- "ip6tables -E HJ-vnet0 HI-vnet0\n"
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
- "ebtables -t nat -L libvirt-I-vnet0\n"
- "ebtables -t nat -L libvirt-O-vnet0\n"
- "ebtables -t nat -F libvirt-I-vnet0\n"
- "ebtables -t nat -X libvirt-I-vnet0\n"
- "ebtables -t nat -F libvirt-O-vnet0\n"
- "ebtables -t nat -X libvirt-O-vnet0\n"
- "ebtables -t nat -L libvirt-J-vnet0\n"
- "ebtables -t nat -L libvirt-P-vnet0\n"
- "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
- "ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+ "iptables -w -F FO-vnet0\n"
+ "iptables -w -X FO-vnet0\n"
+ "iptables -w -F FI-vnet0\n"
+ "iptables -w -X FI-vnet0\n"
+ "iptables -w -F HI-vnet0\n"
+ "iptables -w -X HI-vnet0\n"
+ "iptables -w -E FP-vnet0 FO-vnet0\n"
+ "iptables -w -E FJ-vnet0 FI-vnet0\n"
+ "iptables -w -E HJ-vnet0 HI-vnet0\n"
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+ "ip6tables -w -F FO-vnet0\n"
+ "ip6tables -w -X FO-vnet0\n"
+ "ip6tables -w -F FI-vnet0\n"
+ "ip6tables -w -X FI-vnet0\n"
+ "ip6tables -w -F HI-vnet0\n"
+ "ip6tables -w -X HI-vnet0\n"
+ "ip6tables -w -E FP-vnet0 FO-vnet0\n"
+ "ip6tables -w -E FJ-vnet0 FI-vnet0\n"
+ "ip6tables -w -E HJ-vnet0 HI-vnet0\n"
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-P-vnet0\n"
+ "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
char *actual = NULL;
int ret = -1;
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
- "ebtables -t nat -L libvirt-I-vnet0\n"
- "ebtables -t nat -L libvirt-O-vnet0\n"
- "ebtables -t nat -F libvirt-I-vnet0\n"
- "ebtables -t nat -X libvirt-I-vnet0\n"
- "ebtables -t nat -F libvirt-O-vnet0\n"
- "ebtables -t nat -X libvirt-O-vnet0\n"
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
- "ebtables -t nat -L libvirt-J-vnet0\n"
- "ebtables -t nat -L libvirt-P-vnet0\n"
- "ebtables -t nat -F libvirt-J-vnet0\n"
- "ebtables -t nat -X libvirt-J-vnet0\n"
- "ebtables -t nat -F libvirt-P-vnet0\n"
- "ebtables -t nat -X libvirt-P-vnet0\n";
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-P-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-P-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-P-vnet0\n";
char *actual = NULL;
int ret = -1;
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
- "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
- "iptables -F FO-vnet0\n"
- "iptables -X FO-vnet0\n"
- "iptables -F FI-vnet0\n"
- "iptables -X FI-vnet0\n"
- "iptables -F HI-vnet0\n"
- "iptables -X HI-vnet0\n"
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
- "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
- "ip6tables -F FO-vnet0\n"
- "ip6tables -X FO-vnet0\n"
- "ip6tables -F FI-vnet0\n"
- "ip6tables -X FI-vnet0\n"
- "ip6tables -F HI-vnet0\n"
- "ip6tables -X HI-vnet0\n"
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
- "ebtables -t nat -L libvirt-I-vnet0\n"
- "ebtables -t nat -L libvirt-O-vnet0\n"
- "ebtables -t nat -F libvirt-I-vnet0\n"
- "ebtables -t nat -X libvirt-I-vnet0\n"
- "ebtables -t nat -F libvirt-O-vnet0\n"
- "ebtables -t nat -X libvirt-O-vnet0\n"
- "ebtables -t nat -N libvirt-J-vnet0\n"
- "ebtables -t nat -A libvirt-J-vnet0 -s '!' 10:20:30:40:50:60 -j DROP\n"
- "ebtables -t nat -A libvirt-J-vnet0 -p IPv4 -j ACCEPT\n"
- "ebtables -t nat -A libvirt-J-vnet0 -p ARP -j ACCEPT\n"
- "ebtables -t nat -A libvirt-J-vnet0 -j DROP\n"
- "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
- "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n";
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+ "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "iptables -w -F FO-vnet0\n"
+ "iptables -w -X FO-vnet0\n"
+ "iptables -w -F FI-vnet0\n"
+ "iptables -w -X FI-vnet0\n"
+ "iptables -w -F HI-vnet0\n"
+ "iptables -w -X HI-vnet0\n"
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+ "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "ip6tables -w -F FO-vnet0\n"
+ "ip6tables -w -X FO-vnet0\n"
+ "ip6tables -w -F FI-vnet0\n"
+ "ip6tables -w -X FI-vnet0\n"
+ "ip6tables -w -F HI-vnet0\n"
+ "ip6tables -w -X HI-vnet0\n"
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -s '!' 10:20:30:40:50:60 -j DROP\n"
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -p IPv4 -j ACCEPT\n"
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -p ARP -j ACCEPT\n"
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
+ "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n";
char *actual = NULL;
int ret = -1;
virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
- "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
- "iptables -F FO-vnet0\n"
- "iptables -X FO-vnet0\n"
- "iptables -F FI-vnet0\n"
- "iptables -X FI-vnet0\n"
- "iptables -F HI-vnet0\n"
- "iptables -X HI-vnet0\n"
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
- "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
- "ip6tables -F FO-vnet0\n"
- "ip6tables -X FO-vnet0\n"
- "ip6tables -F FI-vnet0\n"
- "ip6tables -X FI-vnet0\n"
- "ip6tables -F HI-vnet0\n"
- "ip6tables -X HI-vnet0\n"
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
- "ebtables -t nat -L libvirt-I-vnet0\n"
- "ebtables -t nat -L libvirt-O-vnet0\n"
- "ebtables -t nat -F libvirt-I-vnet0\n"
- "ebtables -t nat -X libvirt-I-vnet0\n"
- "ebtables -t nat -F libvirt-O-vnet0\n"
- "ebtables -t nat -X libvirt-O-vnet0\n"
- "ebtables -t nat -N libvirt-J-vnet0\n"
- "ebtables -t nat -N libvirt-P-vnet0\n"
- "ebtables -t nat -A libvirt-J-vnet0 -s 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-sport 68 --ip-dport 67 -j ACCEPT\n"
- "ebtables -t nat -A libvirt-J-vnet0 -j DROP\n"
- "ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
- "ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
- "ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
- "ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
- "ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
- "ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
- "ebtables -t nat -A libvirt-P-vnet0 -j DROP\n"
- "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
- "ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
- "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
- "ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+ "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "iptables -w -F FO-vnet0\n"
+ "iptables -w -X FO-vnet0\n"
+ "iptables -w -F FI-vnet0\n"
+ "iptables -w -X FI-vnet0\n"
+ "iptables -w -F HI-vnet0\n"
+ "iptables -w -X HI-vnet0\n"
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+ "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "ip6tables -w -F FO-vnet0\n"
+ "ip6tables -w -X FO-vnet0\n"
+ "ip6tables -w -F FI-vnet0\n"
+ "ip6tables -w -X FI-vnet0\n"
+ "ip6tables -w -F HI-vnet0\n"
+ "ip6tables -w -X HI-vnet0\n"
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -N libvirt-P-vnet0\n"
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -s 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-sport 68 --ip-dport 67 -j ACCEPT\n"
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP\n"
+ "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
+ "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
char *actual = NULL;
int ret = -1;
virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
- "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
- "iptables -F FO-vnet0\n"
- "iptables -X FO-vnet0\n"
- "iptables -F FI-vnet0\n"
- "iptables -X FI-vnet0\n"
- "iptables -F HI-vnet0\n"
- "iptables -X HI-vnet0\n"
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
- "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
- "ip6tables -F FO-vnet0\n"
- "ip6tables -X FO-vnet0\n"
- "ip6tables -F FI-vnet0\n"
- "ip6tables -X FI-vnet0\n"
- "ip6tables -F HI-vnet0\n"
- "ip6tables -X HI-vnet0\n"
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
- "ebtables -t nat -L libvirt-I-vnet0\n"
- "ebtables -t nat -L libvirt-O-vnet0\n"
- "ebtables -t nat -F libvirt-I-vnet0\n"
- "ebtables -t nat -X libvirt-I-vnet0\n"
- "ebtables -t nat -F libvirt-O-vnet0\n"
- "ebtables -t nat -X libvirt-O-vnet0\n"
- "ebtables -t nat -N libvirt-J-vnet0\n"
- "ebtables -t nat -N libvirt-P-vnet0\n"
- "ebtables -t nat -A libvirt-J-vnet0 -j DROP\n"
- "ebtables -t nat -A libvirt-P-vnet0 -j DROP\n"
- "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
- "ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
- "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
- "ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+ "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "iptables -w -F FO-vnet0\n"
+ "iptables -w -X FO-vnet0\n"
+ "iptables -w -F FI-vnet0\n"
+ "iptables -w -X FI-vnet0\n"
+ "iptables -w -F HI-vnet0\n"
+ "iptables -w -X HI-vnet0\n"
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+ "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "ip6tables -w -F FO-vnet0\n"
+ "ip6tables -w -X FO-vnet0\n"
+ "ip6tables -w -F FI-vnet0\n"
+ "ip6tables -w -X FI-vnet0\n"
+ "ip6tables -w -F HI-vnet0\n"
+ "ip6tables -w -X HI-vnet0\n"
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
+ "ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -N libvirt-P-vnet0\n"
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP\n"
+ "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
+ "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
+ "ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
char *actual = NULL;
int ret = -1;
ip6tables \
+-w \
-A FJ-vnet0 \
-p ah \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p ah \
--destination f:e:d::c:b:a/127 \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p ah \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p ah \
--destination a:b:c::/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p ah \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p ah \
--destination a:b:c::/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p ah \
--destination ::10.1.2.3/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p ah \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p ah \
--destination ::10.1.2.3/128 \
iptables \
+-w \
-A FJ-vnet0 \
-p ah \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p ah \
--source 10.1.2.3/32 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p ah \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p ah \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p ah \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p ah \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p ah \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p ah \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p ah \
--destination 10.1.2.3/22 \
ip6tables \
+-w \
-A FJ-vnet0 \
-p all \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p all \
--destination f:e:d::c:b:a/127 \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p all \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p all \
--destination a:b:c::/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p all \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p all \
--destination a:b:c::/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p all \
--destination ::10.1.2.3/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p all \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p all \
--destination ::10.1.2.3/128 \
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
--source 10.1.2.3/32 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--arp-ptype 0xff \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--arp-ptype 0x100 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--arp-ptype 0xffff \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-p 0x806 \
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-p 0x1234 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--ip-tos 0x32 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
--ip6-destination-port 13107:65535 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
-m mac \
--comment 'udp rule' \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--source 10.1.2.3/32 \
--comment 'udp rule' \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
-m mac \
--comment 'udp rule' \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p tcp \
--destination a:b:c::/128 \
--comment 'tcp/ipv6 rule' \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p tcp \
-m mac \
--comment 'tcp/ipv6 rule' \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p tcp \
--destination a:b:c::/128 \
--comment 'tcp/ipv6 rule' \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p udp \
-m state \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p udp \
-m state \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p udp \
-m state \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p sctp \
-m state \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p sctp \
-m state \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p sctp \
-m state \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p ah \
-m state \
-f ${tmp}' \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p ah \
-m state \
-f ${tmp}' \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p ah \
-m state \
iptables \
+-w \
-A FJ-vnet0 \
-p icmp \
-m connlimit \
--connlimit-above 1 \
-j DROP
iptables \
+-w \
-A HJ-vnet0 \
-p icmp \
-m connlimit \
--connlimit-above 1 \
-j DROP
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
-m connlimit \
--connlimit-above 2 \
-j DROP
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
-m connlimit \
--connlimit-above 2 \
-j DROP
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m state \
ip6tables \
+-w \
-A FJ-vnet0 \
-p esp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p esp \
--destination f:e:d::c:b:a/127 \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p esp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p esp \
--destination a:b:c::/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p esp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p esp \
--destination a:b:c::/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p esp \
--destination ::10.1.2.3/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p esp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p esp \
--destination ::10.1.2.3/128 \
iptables \
+-w \
-A FJ-vnet0 \
-p esp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p esp \
--source 10.1.2.3/32 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p esp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p esp \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p esp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p esp \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p esp \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p esp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p esp \
--destination 10.1.2.3/22 \
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--sport 22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--dport 22 \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--sport 22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p icmp \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p icmp \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p icmp \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-j DROP
iptables \
+-w \
-A FP-vnet0 \
-p all \
-j DROP
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-j DROP
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m state \
--comment 'out: existing and related (ftp) connections' \
-j RETURN
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m state \
--comment 'out: existing and related (ftp) connections' \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m state \
--comment 'in: existing connections' \
-j ACCEPT
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--dport 21:22 \
--comment 'in: ftp and ssh' \
-j ACCEPT
iptables \
+-w \
-A FP-vnet0 \
-p icmp \
-m state \
--comment 'in: icmp' \
-j ACCEPT
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--dport 53 \
--comment 'out: DNS lookups' \
-j RETURN
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--dport 53 \
--comment 'out: DNS lookups' \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m comment \
--comment 'inout: drop all non-accepted traffic' \
-j DROP
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m comment \
--comment 'inout: drop all non-accepted traffic' \
-j DROP
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m comment \
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-p 0x1234 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--ip-tos 0x32 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
--ip6-destination-port 13107:65535 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--source 10.1.2.3/32 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p tcp \
--destination a:b:c::/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p tcp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p tcp \
--destination a:b:c::/128 \
iptables \
+-w \
-A FP-vnet0 \
-p icmp \
--icmp-type 0 \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A FJ-vnet0 \
-p icmp \
--icmp-type 8 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A HJ-vnet0 \
-p icmp \
--icmp-type 8 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p icmp \
-j DROP
iptables \
+-w \
-A FP-vnet0 \
-p icmp \
-j DROP
iptables \
+-w \
-A HJ-vnet0 \
-p icmp \
-j DROP
iptables \
+-w \
-A FP-vnet0 \
-p icmp \
--icmp-type 8 \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A FJ-vnet0 \
-p icmp \
--icmp-type 0 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A HJ-vnet0 \
-p icmp \
--icmp-type 0 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p icmp \
-j DROP
iptables \
+-w \
-A FP-vnet0 \
-p icmp \
-j DROP
iptables \
+-w \
-A HJ-vnet0 \
-p icmp \
-j DROP
iptables \
+-w \
-A FJ-vnet0 \
-p icmp \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p icmp \
-m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p icmp \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-j DROP
iptables \
+-w \
-A FP-vnet0 \
-p all \
-j DROP
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-j DROP
iptables \
+-w \
-A FJ-vnet0 \
-p icmp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A HJ-vnet0 \
-p icmp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p icmp \
-m mac \
ip6tables \
+-w \
-A FJ-vnet0 \
-p icmpv6 \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A HJ-vnet0 \
-p icmpv6 \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p icmpv6 \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A FP-vnet0 \
-p icmpv6 \
-m mac \
iptables \
+-w \
-A FJ-vnet0 \
-p igmp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p igmp \
--source 10.1.2.3/32 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p igmp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p igmp \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p igmp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p igmp \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p igmp \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p igmp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p igmp \
--destination 10.1.2.3/22 \
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--ip-destination-port 100:101 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-p ipv4 \
--ip-tos 0x3f \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-p ipv4 \
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m state \
--match-set tck_test src,dst \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m state \
--match-set tck_test dst,src \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m state \
--match-set tck_test src,dst \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m set \
--comment in+NONE \
-j ACCEPT
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m set \
--comment out+NONE \
-j RETURN
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m set \
--comment out+NONE \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m state \
--match-set tck_test dst,src,dst \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m state \
--match-set tck_test src,dst,src \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m state \
--match-set tck_test dst,src,dst \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m state \
--match-set tck_test dst,src,dst \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m state \
--match-set tck_test src,dst,src \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m state \
--match-set tck_test dst,src,dst \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m state \
--match-set tck_test dst,src \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m state \
--match-set tck_test src,dst \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m state \
--match-set tck_test dst,src \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m set \
--comment inout \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m set \
--comment inout \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m set \
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m mac '!' \
--mac-source 12:34:56:78:9a:bc \
-j DROP
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m mac '!' \
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
--ip6-destination-port 100:101 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-p ipv6 \
--ip6-source-port 100:101 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-p ipv6 \
--ip6-destination-port 100:101 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-p ipv6 \
--ip6-source-port 65535:65535 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-p ipv6 \
--ip6-destination-port 65535:65535 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-p ipv6 \
--ip6-protocol 18 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-p ipv6 \
--ip6-protocol 18 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-p ipv6 \
--ip6-icmp-type 1:11/10:11 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-p ipv6 \
--ip6-icmp-type 1:11/10:11 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-p ipv6 \
--ip6-icmp-type 1:1/10:10 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-p ipv6 \
--ip6-icmp-type 1:1/10:10 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-p ipv6 \
--ip6-icmp-type 0:255/10:10 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-p ipv6 \
--ip6-icmp-type 0:255/10:10 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-p ipv6 \
--ip6-icmp-type 1:1/0:255 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-p ipv6 \
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 3.3.3.3 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 3.3.3.3 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 3.3.3.3 \
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--destination 1.1.1.1 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--destination 2.2.2.2 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x600 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
ebtables \
+--concurrent \
-t nat \
-N libvirt-J-vnet0
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--arp-ptype 0xff \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--arp-ptype 0x100 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--arp-ptype 0xffff \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A PREROUTING \
-i vnet0 \
ip6tables \
+-w \
-A FJ-vnet0 \
-p sctp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p sctp \
--source a:b:c::d:e:f/128 \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p sctp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p sctp \
--destination a:b:c::/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p sctp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p sctp \
--destination a:b:c::/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p sctp \
--destination ::10.1.2.3/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p sctp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p sctp \
--destination ::10.1.2.3/128 \
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
--source 10.1.2.3/32 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--destination 10.1.2.3/32 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--destination 10.1.2.3/32 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p sctp \
--destination 10.1.2.3/32 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p sctp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p sctp \
--destination 10.1.2.3/32 \
ebtables \
+--concurrent \
-t nat \
-F J-vnet0-stp-xyz
ebtables \
+--concurrent \
-t nat \
-X J-vnet0-stp-xyz
ebtables \
+--concurrent \
-t nat \
-N J-vnet0-stp-xyz
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-d 01:80:c2:00:00:00 \
-j J-vnet0-stp-xyz
ebtables \
+--concurrent \
-t nat \
-F P-vnet0-stp-xyz
ebtables \
+--concurrent \
-t nat \
-X P-vnet0-stp-xyz
ebtables \
+--concurrent \
-t nat \
-N P-vnet0-stp-xyz
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-d 01:80:c2:00:00:00 \
-j P-vnet0-stp-xyz
ebtables \
+--concurrent \
-t nat \
-A P-vnet0-stp-xyz \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--stp-flags 68 \
-j CONTINUE
ebtables \
+--concurrent \
-t nat \
-A J-vnet0-stp-xyz \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--stp-root-cost 287454020:573785173 \
-j RETURN
ebtables \
+--concurrent \
-t nat \
-A P-vnet0-stp-xyz \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 \
-j DROP
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 \
-j DROP
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 \
-j ACCEPT
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 \
-j DROP
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 \
-j DROP
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m mac \
-- dir out' \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
--source 10.1.2.3/32 \
-- dir out' \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m mac \
-- dir out' \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m mac \
-- dir out' \
-j DROP
iptables \
+-w \
-A FP-vnet0 \
-p all \
--source 10.1.2.3/32 \
-- dir out' \
-j DROP
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m mac \
-- dir out' \
-j DROP
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m mac \
-- dir out' \
-j REJECT
iptables \
+-w \
-A FP-vnet0 \
-p all \
--source 10.1.2.3/32 \
-- dir out' \
-j REJECT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m mac \
-- dir out' \
-j REJECT
iptables \
+-w \
-A FJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-- dir in' \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m mac \
-- dir in' \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-- dir in' \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-- dir in' \
-j DROP
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m mac \
-- dir in' \
-j DROP
iptables \
+-w \
-A HJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-- dir in' \
-j DROP
iptables \
+-w \
-A FJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-- dir in' \
-j REJECT
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m mac \
-- dir in' \
-j REJECT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-- dir in' \
-j REJECT
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m comment \
-- dir inout' \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m comment \
-- dir inout' \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m comment \
-- dir inout' \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m comment \
-- dir inout' \
-j DROP
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m comment \
-- dir inout' \
-j DROP
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m comment \
-- dir inout' \
-j DROP
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-m comment \
-- dir inout' \
-j REJECT
iptables \
+-w \
-A FP-vnet0 \
-p all \
-m comment \
-- dir inout' \
-j REJECT
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-m comment \
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--dport 22 \
-j ACCEPT
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--sport 22 \
-j RETURN
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--sport 22 \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--sport 80 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--dport 80 \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--sport 80 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
-j REJECT
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
-j REJECT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
-j REJECT
iptables \
+-w \
-A FJ-vnet0 \
-p all \
-j DROP
iptables \
+-w \
-A FP-vnet0 \
-p all \
-j DROP
iptables \
+-w \
-A HJ-vnet0 \
-p all \
-j DROP
ip6tables \
+-w \
-A FJ-vnet0 \
-p tcp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p tcp \
--source a:b:c::d:e:f/128 \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p tcp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p tcp \
--destination a:b:c::/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p tcp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p tcp \
--destination a:b:c::/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p tcp \
--destination ::10.1.2.3/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p tcp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p tcp \
--destination ::10.1.2.3/128 \
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--source 10.1.2.3/32 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--destination 10.1.2.3/32 \
--sport 100:1111 \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
-m mac \
--dport 100:1111 \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--destination 10.1.2.3/32 \
--sport 100:1111 \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p tcp \
--destination 10.1.2.3/32 \
--sport 65535:65535 \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
-m mac \
--dport 65535:65535 \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p tcp \
--destination 10.1.2.3/32 \
--sport 65535:65535 \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--tcp-flags SYN ALL \
-j ACCEPT
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--tcp-flags SYN SYN,ACK \
-j ACCEPT
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--tcp-flags RST NONE \
-j ACCEPT
iptables \
+-w \
-A FP-vnet0 \
-p tcp \
--tcp-flags PSH NONE \
ip6tables \
+-w \
-A FJ-vnet0 \
-p udp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p udp \
--source a:b:c::d:e:f/128 \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p udp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p udp \
--destination ::a:b:c/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p udp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p udp \
--destination ::a:b:c/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p udp \
--destination ::10.1.2.3/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p udp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p udp \
--destination ::10.1.2.3/128 \
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
--source 10.1.2.3/32 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--destination 10.1.2.3/32 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--destination 10.1.2.3/32 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udp \
--destination 10.1.2.3/32 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udp \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udp \
--destination 10.1.2.3/32 \
ip6tables \
+-w \
-A FJ-vnet0 \
-p udplite \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p udplite \
--destination f:e:d::c:b:a/127 \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p udplite \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p udplite \
--destination a:b:c::/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p udplite \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p udplite \
--destination a:b:c::/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FJ-vnet0 \
-p udplite \
--destination ::10.1.2.3/128 \
--state ESTABLISHED \
-j RETURN
ip6tables \
+-w \
-A FP-vnet0 \
-p udplite \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
+-w \
-A HJ-vnet0 \
-p udplite \
--destination ::10.1.2.3/128 \
iptables \
+-w \
-A FJ-vnet0 \
-p udplite \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udplite \
--source 10.1.2.3/32 \
--state ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udplite \
-m mac \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udplite \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udplite \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udplite \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FJ-vnet0 \
-p udplite \
--destination 10.1.2.3/22 \
--state ESTABLISHED \
-j RETURN
iptables \
+-w \
-A FP-vnet0 \
-p udplite \
-m mac \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
+-w \
-A HJ-vnet0 \
-p udplite \
--destination 10.1.2.3/22 \
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--vlan-id 291 \
-j CONTINUE
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--vlan-id 291 \
-j CONTINUE
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--vlan-id 1234 \
-j RETURN
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--vlan-id 1234 \
-j RETURN
ebtables \
+--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--vlan-id 291 \
-j DROP
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--vlan-encap 2054 \
-j DROP
ebtables \
+--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
static const char *commonRules[] = {
/* Dropping ebtables rules */
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
- "ebtables -t nat -L libvirt-J-vnet0\n"
- "ebtables -t nat -L libvirt-P-vnet0\n"
- "ebtables -t nat -F libvirt-J-vnet0\n"
- "ebtables -t nat -X libvirt-J-vnet0\n"
- "ebtables -t nat -F libvirt-P-vnet0\n"
- "ebtables -t nat -X libvirt-P-vnet0\n",
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -L libvirt-P-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -F libvirt-P-vnet0\n"
+ "ebtables --concurrent -t nat -X libvirt-P-vnet0\n",
/* Creating ebtables chains */
- "ebtables -t nat -N libvirt-J-vnet0\n"
- "ebtables -t nat -N libvirt-P-vnet0\n",
+ "ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -N libvirt-P-vnet0\n",
/* Dropping iptables rules */
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
- "iptables -F FP-vnet0\n"
- "iptables -X FP-vnet0\n"
- "iptables -F FJ-vnet0\n"
- "iptables -X FJ-vnet0\n"
- "iptables -F HJ-vnet0\n"
- "iptables -X HJ-vnet0\n",
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
+ "iptables -w -F FP-vnet0\n"
+ "iptables -w -X FP-vnet0\n"
+ "iptables -w -F FJ-vnet0\n"
+ "iptables -w -X FJ-vnet0\n"
+ "iptables -w -F HJ-vnet0\n"
+ "iptables -w -X HJ-vnet0\n",
/* Creating iptables chains */
- "iptables -N libvirt-in\n"
- "iptables -N libvirt-out\n"
- "iptables -N libvirt-in-post\n"
- "iptables -N libvirt-host-in\n"
- "iptables -D FORWARD -j libvirt-in\n"
- "iptables -D FORWARD -j libvirt-out\n"
- "iptables -D FORWARD -j libvirt-in-post\n"
- "iptables -D INPUT -j libvirt-host-in\n"
- "iptables -I FORWARD 1 -j libvirt-in\n"
- "iptables -I FORWARD 2 -j libvirt-out\n"
- "iptables -I FORWARD 3 -j libvirt-in-post\n"
- "iptables -I INPUT 1 -j libvirt-host-in\n"
- "iptables -N FP-vnet0\n"
- "iptables -N FJ-vnet0\n"
- "iptables -N HJ-vnet0\n"
- "iptables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
- "iptables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
- "iptables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
- "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
- "iptables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
+ "iptables -w -N libvirt-in\n"
+ "iptables -w -N libvirt-out\n"
+ "iptables -w -N libvirt-in-post\n"
+ "iptables -w -N libvirt-host-in\n"
+ "iptables -w -D FORWARD -j libvirt-in\n"
+ "iptables -w -D FORWARD -j libvirt-out\n"
+ "iptables -w -D FORWARD -j libvirt-in-post\n"
+ "iptables -w -D INPUT -j libvirt-host-in\n"
+ "iptables -w -I FORWARD 1 -j libvirt-in\n"
+ "iptables -w -I FORWARD 2 -j libvirt-out\n"
+ "iptables -w -I FORWARD 3 -j libvirt-in-post\n"
+ "iptables -w -I INPUT 1 -j libvirt-host-in\n"
+ "iptables -w -N FP-vnet0\n"
+ "iptables -w -N FJ-vnet0\n"
+ "iptables -w -N HJ-vnet0\n"
+ "iptables -w -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
+ "iptables -w -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
+ "iptables -w -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
+ "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "iptables -w -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
/* Dropping ip6tables rules */
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
- "ip6tables -F FP-vnet0\n"
- "ip6tables -X FP-vnet0\n"
- "ip6tables -F FJ-vnet0\n"
- "ip6tables -X FJ-vnet0\n"
- "ip6tables -F HJ-vnet0\n"
- "ip6tables -X HJ-vnet0\n",
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
+ "ip6tables -w -F FP-vnet0\n"
+ "ip6tables -w -X FP-vnet0\n"
+ "ip6tables -w -F FJ-vnet0\n"
+ "ip6tables -w -X FJ-vnet0\n"
+ "ip6tables -w -F HJ-vnet0\n"
+ "ip6tables -w -X HJ-vnet0\n",
/* Creating ip6tables chains */
- "ip6tables -N libvirt-in\n"
- "ip6tables -N libvirt-out\n"
- "ip6tables -N libvirt-in-post\n"
- "ip6tables -N libvirt-host-in\n"
- "ip6tables -D FORWARD -j libvirt-in\n"
- "ip6tables -D FORWARD -j libvirt-out\n"
- "ip6tables -D FORWARD -j libvirt-in-post\n"
- "ip6tables -D INPUT -j libvirt-host-in\n"
- "ip6tables -I FORWARD 1 -j libvirt-in\n"
- "ip6tables -I FORWARD 2 -j libvirt-out\n"
- "ip6tables -I FORWARD 3 -j libvirt-in-post\n"
- "ip6tables -I INPUT 1 -j libvirt-host-in\n"
- "ip6tables -N FP-vnet0\n"
- "ip6tables -N FJ-vnet0\n"
- "ip6tables -N HJ-vnet0\n"
- "ip6tables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
- "ip6tables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
- "ip6tables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
- "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
- "ip6tables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
+ "ip6tables -w -N libvirt-in\n"
+ "ip6tables -w -N libvirt-out\n"
+ "ip6tables -w -N libvirt-in-post\n"
+ "ip6tables -w -N libvirt-host-in\n"
+ "ip6tables -w -D FORWARD -j libvirt-in\n"
+ "ip6tables -w -D FORWARD -j libvirt-out\n"
+ "ip6tables -w -D FORWARD -j libvirt-in-post\n"
+ "ip6tables -w -D INPUT -j libvirt-host-in\n"
+ "ip6tables -w -I FORWARD 1 -j libvirt-in\n"
+ "ip6tables -w -I FORWARD 2 -j libvirt-out\n"
+ "ip6tables -w -I FORWARD 3 -j libvirt-in-post\n"
+ "ip6tables -w -I INPUT 1 -j libvirt-host-in\n"
+ "ip6tables -w -N FP-vnet0\n"
+ "ip6tables -w -N FJ-vnet0\n"
+ "ip6tables -w -N HJ-vnet0\n"
+ "ip6tables -w -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
+ "ip6tables -w -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
+ "ip6tables -w -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
+ "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "ip6tables -w -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
/* Inserting ebtables rules */
- "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
- "ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n",
+ "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+ "ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n",
};
*error = g_dbus_error_new_for_dbus_error("org.firewalld.error",
"something bad happened");
} else {
- if (nargs == 1 &&
+ if (nargs == 2 &&
STREQ(type, "ipv4") &&
- STREQ(args[0], "-L")) {
+ STREQ(args[0], "-w") &&
+ STREQ(args[1], "-L")) {
reply = g_variant_new("(s)", TEST_FILTER_TABLE_LIST);
- } else if (nargs == 3 &&
+ } else if (nargs == 4 &&
STREQ(type, "ipv4") &&
- STREQ(args[0], "-t") &&
- STREQ(args[1], "nat") &&
- STREQ(args[2], "-L")) {
+ STREQ(args[0], "-w") &&
+ STREQ(args[1], "-t") &&
+ STREQ(args[2], "nat") &&
+ STREQ(args[3], "-L")) {
reply = g_variant_new("(s)", TEST_NAT_TABLE_LIST);
} else {
reply = g_variant_new("(s)", "success");
int ret = -1;
const char *actual = NULL;
const char *expected =
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
int ret = -1;
const char *actual = NULL;
const char *expected =
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
virFirewallRulePtr fwrule;
int ret = -1;
const char *actual = NULL;
const char *expected =
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
- IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -A OUTPUT --jump DROP\n";
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
+ IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -A OUTPUT --jump DROP\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
int ret = -1;
const char *actual = NULL;
const char *expected =
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
- IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -A OUTPUT --jump DROP\n";
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
+ IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -A OUTPUT --jump DROP\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
int ret = -1;
const char *actual = NULL;
const char *expected =
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
- IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -A OUTPUT --jump DROP\n";
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
+ IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -A OUTPUT --jump DROP\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
int ret = -1;
const char *actual = NULL;
const char *expected =
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n";
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
int ret = -1;
const char *actual = NULL;
const char *expected =
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
- IPTABLES_PATH " -D INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
- IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
+ IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
+ IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
int ret = -1;
const char *actual = NULL;
const char *expected =
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
- IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
- IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
+ IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
+ IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
int ret = -1;
const char *actual = NULL;
const char *expected =
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
- IPTABLES_PATH " -D INPUT --source-host 192.168.122.127 --jump REJECT\n"
- IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n"
- IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
- IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
+ IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.127 --jump REJECT\n"
+ IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump REJECT\n"
+ IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
+ IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
void *opaque G_GNUC_UNUSED)
{
if (STREQ(args[0], IPTABLES_PATH) &&
- STREQ(args[1], "-L")) {
+ STREQ(args[1], "-w") &&
+ STREQ(args[2], "-L")) {
*output = g_strdup(TEST_FILTER_TABLE_LIST);
} else if (STREQ(args[0], IPTABLES_PATH) &&
- STREQ(args[1], "-t") &&
- STREQ(args[2], "nat") &&
- STREQ(args[3], "-L")) {
+ STREQ(args[1], "-w") &&
+ STREQ(args[2], "-t") &&
+ STREQ(args[3], "nat") &&
+ STREQ(args[4], "-L")) {
*output = g_strdup(TEST_NAT_TABLE_LIST);
}
}
int ret = -1;
const char *actual = NULL;
const char *expected =
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
- IPTABLES_PATH " -L\n"
- IPTABLES_PATH " -t nat -L\n"
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.130 --jump REJECT\n"
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.128 --jump REJECT\n"
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
+ IPTABLES_PATH " -w -L\n"
+ IPTABLES_PATH " -w -t nat -L\n"
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.130 --jump REJECT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.128 --jump REJECT\n"
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
expectedLineNum = 0;
projects / thirdparty / libvirt.git / commitdiff
