1. 10 May, 2019 1 commit
    • Laine Stump's avatar
      nwfilter: allow for different format of IPv6 netmask/prefix in ebtables output · 90664ac0
      Laine Stump authored
      The iptables-ebtables package is meant as a drop-in replacement for
      the native ebtables package, but it formats some items in the -L
      output differently, leading to failure of scripts that depend on the
      output of ebtables -L. In particular:
      
      with old ebtables IPv6 prefixes are output as a netmask (e.g.: "/ffff:fc00")
      
      with iptables-ebtables IPv6 prefixes are always output as a numeric
         prefix (e.g. "/22"), and suppressed completely if the prefix is
         /128.
      
      This difference is also described in
      https://bugzilla.redhat.com/show_bug.cgi?id=1674536
      
      "old" ebtables upstream has just accepted a patch to change its output
      to match that of iptables-ebtables:
      
      https://marc.info/?l=netfilter-devel&m=155000828923204&w=2
      
      so it makes sense for libvirt-tck to accept the new format (as well as
      the old). As with the patch for fixing up MAC addresses with leading
      0s, this patch also uses sed to apply a substitution to the scraped
      output of ebtables -L. However, rather than keeping the comparison
      (expected) output in the old (netmask) form, it is changed to the new
      (prefix) form, and the sed commands change netmasks to prefixes. (This
      works out better because in some cases we need to replace [all ff's]
      with "", and it's not possible to do that in the opposite direction)
      Signed-off-by: 's avatarLaine Stump <laine@laine.org>
      Reviewed-by: 's avatarDaniel P. Berrangé <berrange@redhat.com>
      90664ac0
  2. 09 May, 2019 1 commit
  3. 28 Mar, 2014 1 commit
    • Mike Latimer's avatar
      Remove /128 from ip6tables output · eefd5d24
      Mike Latimer authored
      Due to iptables commit 945353a2 (in iptables v1.4.20 and higher), ip6tables
      no longer prints out /128. This patch removes /128 from output files, and
      replaces '/128' in command output with '    ' to remain compatible with
      older versions of ip6tables.
      eefd5d24
  4. 27 Mar, 2014 1 commit
    • Daniel P. Berrange's avatar
      Remove illegal values in nwfilter test XML/firewall files · b32490de
      Daniel P. Berrange authored
      A number of the nwfilter XML files have attribute values
      which are out of range. Previously the libvirt nwfilter
      XML parser would silently ignore illegal values, causing
      them to default to 0. This resulted in creating incorrect
      iptables rules, which the TCK suite then validated as
      correct. Current libvirt returns a hard error for illegal
      XML values. To address this we either change the attribute
      values to be valid, or delete the bogus rules entirely if
      they are duplicates of other existing valid rules.
      Signed-off-by: 's avatarDaniel P. Berrange <berrange@redhat.com>
      b32490de
  5. 16 Feb, 2013 1 commit
  6. 22 Oct, 2010 1 commit
  7. 09 Sep, 2010 1 commit
    • Stefan Berger's avatar
      Introduce a test suite for nwfilter functionality · 1d3342fd
      Stefan Berger authored
      Introduce a test suite for the nwfilter functionality. Compares
      the XML against actual iptables/ebtables rules create. Expects
      presence of virbr0 network, and only works with qemu://system
      on Linux hosts.
      
      * bin/libvirt-tck: Ensure config file path is absolute
      * scripts/nwfilter/100-apply-verify.t: Wrapper to make script
      * scripts/nwfilter/nwfilter2vmtest.sh: Main test script
      * scripts/nwfilter/nwfilterxml2fwallout/*,
        scripts/nwfilter/nwfilterxml2xmlin/*: Test data files
      1d3342fd