From 9cecc7729a8d44fcdec9a4852545286cb7eb8fad Mon Sep 17 00:00:00 2001

From: Eric Garver <eric@garver.life>

Date: Wed, 31 Jul 2019 13:57:10 -0400

Subject: [PATCH 24/26] fix: guarantee zone source dispatch is sorted by zone

 name

Apparently users depend on firewalld sorting zone dispatch for sources

by the zone name. This is used to specify precedence for overlapping

address spaces.

Since we have to track rule positions of source based dispatch we might

as well abuse this and combine the source/interface dispatch into a

single chain.

Fixes: rhbz 1734765

Fixes: 70993581d79b ("fix: do not allow zone drifting")

(cherry picked from commit afc35c20e58b00b81cd2e1f3e863b3b3bac37c77)

---

 src/firewall/core/ipXtables.py |  88 ++++++++---

 src/firewall/core/nftables.py  |  71 +++++++--

 src/tests/firewall-cmd.at      |  14 +-

 src/tests/regression/gh258.at  | 277 ++++++++++-----------------------

 4 files changed, 211 insertions(+), 239 deletions(-)

diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py

index 9055e9566d15..2f4ec46d8339 100644

--- a/src/firewall/core/ipXtables.py

+++ b/src/firewall/core/ipXtables.py

@@ -178,6 +178,7 @@ class ip4tables(object):

         self.fill_exists()

         self.available_tables = []

         self.rich_rule_priority_counts = {}

+        self.zone_source_index_cache = []

         self.our_chains = {} # chains created by firewalld

     def fill_exists(self):

@@ -289,6 +290,44 @@ class ip4tables(object):

                     chain = args[i+1]

         return (table, chain)

+    def _run_replace_zone_source(self, rule, zone_source_index_cache):

+        try:

+            i = rule.index("%%ZONE_SOURCE%%")

+            rule.pop(i)

+            zone = rule.pop(i)

+            if "-m" == rule[4]: # ipset/mac

+                zone_source = (zone, rule[7]) # (zone, address)

+            else:

+                zone_source = (zone, rule[5]) # (zone, address)

+        except ValueError:

+            try:

+                i = rule.index("%%ZONE_INTERFACE%%")

+                rule.pop(i)

+                zone_source = None

+            except ValueError:

+                return

+

+        rule_add = True

+        if rule[0] in ["-D", "--delete"]:

+            rule_add = False

+

+        if zone_source and not rule_add:

+            if zone_source in zone_source_index_cache:

+                zone_source_index_cache.remove(zone_source)

+        elif rule_add:

+            if zone_source:

+                # order source based dispatch by zone name

+                if zone_source not in zone_source_index_cache:

+                    zone_source_index_cache.append(zone_source)

+                    zone_source_index_cache.sort(key=lambda x: x[0])

+

+                index = zone_source_index_cache.index(zone_source)

+            else:

+                index = len(zone_source_index_cache)

+                

+            rule[0] = "-I"

+            rule.insert(2, "%d" % (index + 1))

+

     def _set_rule_replace_rich_rule_priority(self, rule, rich_rule_priority_counts):

         """

         Change something like

@@ -374,6 +413,7 @@ class ip4tables(object):

         table_rules = { }

         rich_rule_priority_counts = copy.deepcopy(self.rich_rule_priority_counts)

+        zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache)

         for _rule in rules:

             rule = _rule[:]

@@ -398,6 +438,7 @@ class ip4tables(object):

                     rule.pop(i)

             self._set_rule_replace_rich_rule_priority(rule, rich_rule_priority_counts)

+            self._run_replace_zone_source(rule, zone_source_index_cache)

             table = "filter"

             # get table form rule

@@ -461,6 +502,7 @@ class ip4tables(object):

             raise ValueError("'%s %s' failed: %s" % (self._restore_command,

                                                      " ".join(args), ret))

         self.rich_rule_priority_counts = rich_rule_priority_counts

+        self.zone_source_index_cache = zone_source_index_cache

         return ret

     def set_rule(self, rule, log_denied):

@@ -485,9 +527,14 @@ class ip4tables(object):

                 rule.pop(i)

         rich_rule_priority_counts = copy.deepcopy(self.rich_rule_priority_counts)

+        zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache)

         self._set_rule_replace_rich_rule_priority(rule, rich_rule_priority_counts)

+        self._run_replace_zone_source(rule, zone_source_index_cache)

+

         output = self.__run(rule)

+

         self.rich_rule_priority_counts = rich_rule_priority_counts

+        self.zone_source_index_cache = zone_source_index_cache

         return output

     def get_available_tables(self, table=None):

@@ -539,6 +586,7 @@ class ip4tables(object):

     def build_flush_rules(self):

         self.rich_rule_priority_counts = {}

+        self.zone_source_index_cache = []

         rules = []

         for table in BUILT_IN_CHAINS.keys():

             if not self.get_available_tables(table):

@@ -620,10 +668,8 @@ class ip4tables(object):

                 if chain == "PREROUTING":

                     default_rules["raw"].append("-N %s_ZONES" % chain)

-                    default_rules["raw"].append("-N %s_ZONES_IFACES" % chain)

                     default_rules["raw"].append("-A %s -j %s_ZONES" % (chain, chain))

-                    default_rules["raw"].append("-A %s_ZONES -g %s_ZONES_IFACES" % (chain, chain))

-                    self.our_chains["raw"].update(set(["%s_ZONES" % chain, "%s_ZONES_IFACES" % chain]))

+                    self.our_chains["raw"].update(set(["%s_ZONES" % chain]))

         if self.get_available_tables("mangle"):

             default_rules["mangle"] = [ ]

@@ -635,10 +681,8 @@ class ip4tables(object):

                 if chain == "PREROUTING":

                     default_rules["mangle"].append("-N %s_ZONES" % chain)

-                    default_rules["mangle"].append("-N %s_ZONES_IFACES" % chain)

                     default_rules["mangle"].append("-A %s -j %s_ZONES" % (chain, chain))

-                    default_rules["mangle"].append("-A %s_ZONES -g %s_ZONES_IFACES" % (chain, chain))

-                    self.our_chains["mangle"].update(set(["%s_ZONES" % chain, "%s_ZONES_IFACES" % chain]))

+                    self.our_chains["mangle"].update(set(["%s_ZONES" % chain]))

         if self.get_available_tables("nat"):

             default_rules["nat"] = [ ]

@@ -650,21 +694,17 @@ class ip4tables(object):

                 if chain in [ "PREROUTING", "POSTROUTING" ]:

                     default_rules["nat"].append("-N %s_ZONES" % chain)

-                    default_rules["nat"].append("-N %s_ZONES_IFACES" % chain)

                     default_rules["nat"].append("-A %s -j %s_ZONES" % (chain, chain))

-                    default_rules["nat"].append("-A %s_ZONES -g %s_ZONES_IFACES" % (chain, chain))

-                    self.our_chains["nat"].update(set(["%s_ZONES" % chain, "%s_ZONES_IFACES" % chain]))

+                    self.our_chains["nat"].update(set(["%s_ZONES" % chain]))

         default_rules["filter"] = [

             "-N INPUT_direct",

             "-N INPUT_ZONES",

-            "-N INPUT_ZONES_IFACES",

             "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT",

             "-A INPUT -i lo -j ACCEPT",

             "-A INPUT -j INPUT_direct",

             "-A INPUT -j INPUT_ZONES",

-            "-A INPUT_ZONES -g INPUT_ZONES_IFACES",

         ]

         if log_denied != "off":

             default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")

@@ -677,16 +717,12 @@ class ip4tables(object):

             "-N FORWARD_direct",

             "-N FORWARD_IN_ZONES",

             "-N FORWARD_OUT_ZONES",

-            "-N FORWARD_IN_ZONES_IFACES",

-            "-N FORWARD_OUT_ZONES_IFACES",

             "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT",

             "-A FORWARD -i lo -j ACCEPT",

             "-A FORWARD -j FORWARD_direct",

             "-A FORWARD -j FORWARD_IN_ZONES",

             "-A FORWARD -j FORWARD_OUT_ZONES",

-            "-A FORWARD_IN_ZONES -g FORWARD_IN_ZONES_IFACES",

-            "-A FORWARD_OUT_ZONES -g FORWARD_OUT_ZONES_IFACES",

         ]

         if log_denied != "off":

             default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")

@@ -702,10 +738,9 @@ class ip4tables(object):

             "-A OUTPUT -j OUTPUT_direct",

         ]

-        self.our_chains["filter"] = set(["INPUT_direct", "INPUT_ZONES", "INPUT_ZONES_IFACES"

+        self.our_chains["filter"] = set(["INPUT_direct", "INPUT_ZONES",

                                          "FORWARD_direct", "FORWARD_IN_ZONES",

-                                         "FORWARD_IN_ZONES_IFACES" "FORWARD_OUT_ZONES",

-                                         "FORWARD_OUT_ZONES_IFACES", "OUTPUT_direct"])

+                                         "FORWARD_OUT_ZONES", "OUTPUT_direct"])

         final_default_rules = []

         for table in default_rules:

@@ -748,11 +783,13 @@ class ip4tables(object):

         action = "-g"

         if enable and not append:

-            rule = [ "-I", "%s_ZONES_IFACES" % chain, "1" ]

+            rule = [ "-I", "%s_ZONES" % chain, "%%ZONE_INTERFACE%%" ]

         elif enable:

-            rule = [ "-A", "%s_ZONES_IFACES" % chain ]

+            rule = [ "-A", "%s_ZONES" % chain ]

         else:

-            rule = [ "-D", "%s_ZONES_IFACES" % chain ]

+            rule = [ "-D", "%s_ZONES" % chain ]

+            if not append:

+                rule += ["%%ZONE_INTERFACE%%"]

         rule += [ "-t", table, opt, interface, action, target ]

         return [rule]

@@ -780,7 +817,8 @@ class ip4tables(object):

                 opt = "src"

             flags = ",".join([opt] * self._fw.ipset.get_dimension(name))

             rule = [ add_del,

-                     "%s_ZONES" % chain, "-t", table,

+                     "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,

+                     "-t", table,

                      "-m", "set", "--match-set", name,

                      flags, action, target ]

         else:

@@ -789,12 +827,14 @@ class ip4tables(object):

                 if opt == "-d":

                     return ""

                 rule = [ add_del,

-                         "%s_ZONES" % chain, "-t", table,

+                         "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,

+                         "-t", table,

                          "-m", "mac", "--mac-source", address.upper(),

                          action, target ]

             else:

                 rule = [ add_del,

-                         "%s_ZONES" % chain, "-t", table,

+                         "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,

+                         "-t", table,

                          opt, address, action, target ]

         return [rule]

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py

index ba52a0e87493..c0b48f1501fd 100644

--- a/src/firewall/core/nftables.py

+++ b/src/firewall/core/nftables.py

@@ -157,6 +157,7 @@ class nftables(object):

         self.rule_to_handle = {}

         self.rule_ref_count = {}

         self.rich_rule_priority_counts = {}

+        self.zone_source_index_cache = {}

         self.used_families = ["inet", "ip", "ip6"]

     def fill_exists(self):

@@ -171,6 +172,48 @@ class nftables(object):

             raise FirewallError(INVALID_RULE, "position/handle not allowed in rule")

         return " ".join([str(x) for x in rule_key])

+    def _run_replace_zone_source(self, rule_add, rule, zone_source_index_cache):

+        try:

+            i = rule.index("%%ZONE_SOURCE%%")

+            rule.pop(i)

+            zone = rule.pop(i)

+            zone_source = (zone, rule[7]) # (zone, address)

+        except ValueError:

+            try:

+                i = rule.index("%%ZONE_INTERFACE%%")

+                rule.pop(i)

+                zone_source = None

+            except ValueError:

+                return

+

+        family = rule[2]

+

+        if zone_source and not rule_add:

+            if family in zone_source_index_cache and \

+               zone_source in zone_source_index_cache[family]:

+                zone_source_index_cache[family].remove(zone_source)

+        elif rule_add:

+            if family not in zone_source_index_cache:

+                zone_source_index_cache[family] = []

+

+            if zone_source:

+                # order source based dispatch by zone name

+                if zone_source not in zone_source_index_cache[family]:

+                    zone_source_index_cache[family].append(zone_source)

+                    zone_source_index_cache[family].sort(key=lambda x: x[0])

+

+                index = zone_source_index_cache[family].index(zone_source)

+            else:

+                index = len(zone_source_index_cache[family])

+                

+            if index == 0:

+                rule[0] = "insert"

+            else:

+                index -= 1 # point to the rule before insertion point

+                rule[0] = "add"

+                rule.insert(i, "index")

+                rule.insert(i+1, "%d" % index)

+

     def __run(self, args):

         nft_opts = ["--echo", "--handle"]

         _args = args[:]

@@ -257,6 +300,10 @@ class nftables(object):

                         _args.insert(i, "index")

                         _args.insert(i+1, "%d" % index)

+        if rule_key:

+            zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache)

+            self._run_replace_zone_source(rule_add, _args, zone_source_index_cache)

+

         if not rule_key or (not rule_add and self.rule_ref_count[rule_key] == 0) \

                         or (    rule_add and rule_key not in self.rule_ref_count):

@@ -274,6 +321,7 @@ class nftables(object):

             if rule_key:

                 self.rich_rule_priority_counts = rich_rule_priority_counts

+                self.zone_source_index_cache = zone_source_index_cache

             # nft requires deleting rules by handle. So we must cache the rule

             # handle when adding/inserting rules.

@@ -362,6 +410,7 @@ class nftables(object):

         self.rule_to_handle = saved_rule_to_handle

         self.rule_ref_count = saved_rule_ref_count

         self.rich_rule_priority_counts = {}

+        self.zone_source_index_cache = {}

         rules = []

         for family in self.used_families:

@@ -440,9 +489,7 @@ class nftables(object):

         for chain in ["PREROUTING"]:

             default_rules.append("add chain inet %s raw_%s_ZONES" % (TABLE_NAME, chain))

-            default_rules.append("add chain inet %s raw_%s_ZONES_IFACES" % (TABLE_NAME, chain))

             default_rules.append("add rule inet %s raw_%s jump raw_%s_ZONES" % (TABLE_NAME, chain, chain))

-            default_rules.append("add rule inet %s raw_%s_ZONES goto raw_%s_ZONES_IFACES" % (TABLE_NAME, chain, chain))

         for chain in IPTABLES_TO_NFT_HOOK["mangle"].keys():

             default_rules.append("add chain inet %s mangle_%s '{ type filter hook %s priority %d ; }'" %

@@ -451,9 +498,7 @@ class nftables(object):

                                   IPTABLES_TO_NFT_HOOK["mangle"][chain][1]))

             default_rules.append("add chain inet %s mangle_%s_ZONES" % (TABLE_NAME, chain))

-            default_rules.append("add chain inet %s mangle_%s_ZONES_IFACES" % (TABLE_NAME, chain))

             default_rules.append("add rule inet %s mangle_%s jump mangle_%s_ZONES" % (TABLE_NAME, chain, chain))

-            default_rules.append("add rule inet %s mangle_%s_ZONES goto mangle_%s_ZONES_IFACES" % (TABLE_NAME, chain, chain))

         for family in ["ip", "ip6"]:

             for chain in IPTABLES_TO_NFT_HOOK["nat"].keys():

@@ -463,9 +508,7 @@ class nftables(object):

                                       IPTABLES_TO_NFT_HOOK["nat"][chain][1]))

                 default_rules.append("add chain %s %s nat_%s_ZONES" % (family, TABLE_NAME, chain))

-                default_rules.append("add chain %s %s nat_%s_ZONES_IFACES" % (family, TABLE_NAME, chain))

                 default_rules.append("add rule %s %s nat_%s jump nat_%s_ZONES" % (family, TABLE_NAME, chain, chain))

-                default_rules.append("add rule %s %s nat_%s_ZONES goto nat_%s_ZONES_IFACES" % (family, TABLE_NAME, chain, chain))

         for chain in IPTABLES_TO_NFT_HOOK["filter"].keys():

             default_rules.append("add chain inet %s filter_%s '{ type filter hook %s priority %d ; }'" %

@@ -475,12 +518,10 @@ class nftables(object):

         # filter, INPUT

         default_rules.append("add chain inet %s filter_%s_ZONES" % (TABLE_NAME, "INPUT"))

-        default_rules.append("add chain inet %s filter_%s_ZONES_IFACES" % (TABLE_NAME, "INPUT"))

         default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "INPUT"))

         default_rules.append("add rule inet %s filter_%s ct status dnat accept" % (TABLE_NAME, "INPUT"))

         default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "INPUT"))

         default_rules.append("add rule inet %s filter_%s jump filter_%s_ZONES" % (TABLE_NAME, "INPUT", "INPUT"))

-        default_rules.append("add rule inet %s filter_%s_ZONES goto filter_%s_ZONES_IFACES" % (TABLE_NAME, "INPUT", "INPUT"))

         if log_denied != "off":

             default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "INPUT"))

         default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "INPUT"))

@@ -490,16 +531,12 @@ class nftables(object):

         # filter, FORWARD

         default_rules.append("add chain inet %s filter_%s_IN_ZONES" % (TABLE_NAME, "FORWARD"))

-        default_rules.append("add chain inet %s filter_%s_IN_ZONES_IFACES" % (TABLE_NAME, "FORWARD"))

         default_rules.append("add chain inet %s filter_%s_OUT_ZONES" % (TABLE_NAME, "FORWARD"))

-        default_rules.append("add chain inet %s filter_%s_OUT_ZONES_IFACES" % (TABLE_NAME, "FORWARD"))

         default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "FORWARD"))

         default_rules.append("add rule inet %s filter_%s ct status dnat accept" % (TABLE_NAME, "FORWARD"))

         default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "FORWARD"))

         default_rules.append("add rule inet %s filter_%s jump filter_%s_IN_ZONES" % (TABLE_NAME, "FORWARD", "FORWARD"))

         default_rules.append("add rule inet %s filter_%s jump filter_%s_OUT_ZONES" % (TABLE_NAME, "FORWARD", "FORWARD"))

-        default_rules.append("add rule inet %s filter_%s_IN_ZONES goto filter_%s_IN_ZONES_IFACES" % (TABLE_NAME, "FORWARD", "FORWARD"))

-        default_rules.append("add rule inet %s filter_%s_OUT_ZONES goto filter_%s_OUT_ZONES_IFACES" % (TABLE_NAME, "FORWARD", "FORWARD"))

         if log_denied != "off":

             default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "FORWARD"))

         default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "FORWARD"))

@@ -554,11 +591,14 @@ class nftables(object):

         action = "goto"

         if enable and not append:

-            rule = ["insert", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES_IFACES" % (table, chain)]

+            rule = ["insert", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % (table, chain),

+                    "%%ZONE_INTERFACE%%"]

         elif enable:

-            rule = ["add", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES_IFACES" % (table, chain)]

+            rule = ["add", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % (table, chain)]

         else:

-            rule = ["delete", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES_IFACES" % (table, chain)]

+            rule = ["delete", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % (table, chain)]

+            if not append:

+                rule += ["%%ZONE_INTERFACE%%"]

         if interface == "*":

             rule += [action, "%s_%s" % (table, target)]

         else:

@@ -609,6 +649,7 @@ class nftables(object):

         rule = [add_del, "rule", family, "%s" % TABLE_NAME,

                 "%s_%s_ZONES" % (table, chain),

+                "%%ZONE_SOURCE%%", zone,

                 rule_family, opt, address, action, "%s_%s" % (table, target)]

         return [rule]

diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at

index 7bb13aee0221..53f2eb2c7c88 100644

--- a/src/tests/firewall-cmd.at

+++ b/src/tests/firewall-cmd.at

@@ -148,14 +148,14 @@ FWD_START_TEST([zone interfaces])

     FWD_CHECK([--zone=trusted --add-interface=+], 0, ignore)

     FWD_CHECK([--add-interface=foobar+++], 0, ignore)

     FWD_CHECK([--add-interface=foobar+], 0, ignore)

-    NFT_LIST_RULES([inet], [filter_INPUT_ZONES_IFACES], 0, [dnl

+    NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl

         table inet firewalld {

-        chain filter_INPUT_ZONES_IFACES {

-            iifname "foobar*" goto filter_IN_public

-            iifname "foobar++*" goto filter_IN_public

-            goto filter_IN_trusted

-            goto filter_IN_public

-        }

+            chain filter_INPUT_ZONES {

+                iifname "foobar*" goto filter_IN_public

+                iifname "foobar++*" goto filter_IN_public

+                goto filter_IN_trusted

+                goto filter_IN_public

+            }

         }

     ])

     FWD_CHECK([--zone=trusted --remove-interface=+], 0, ignore)

diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at

index ba76946f0333..1896a9bfc61c 100644

--- a/src/tests/regression/gh258.at

+++ b/src/tests/regression/gh258.at

@@ -9,7 +9,6 @@ FWD_CHECK([--zone=work --add-interface=dummy0], 0, ignore)

 FWD_CHECK([--zone=public --add-interface=dummy1], 0, ignore)

 dnl verify layout of zone dispatch

-m4_if(nftables, FIREWALL_BACKEND, [

 NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl

     table inet firewalld {

         chain filter_INPUT {

@@ -27,13 +26,6 @@ NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl

         chain filter_INPUT_ZONES {

             ip6 saddr dead:beef::/54 goto filter_IN_public

             ip saddr 1.2.3.0/24 goto filter_IN_work

-            goto filter_INPUT_ZONES_IFACES

-        }

-    }

-])

-NFT_LIST_RULES([inet], [filter_INPUT_ZONES_IFACES], 0, [dnl

-    table inet firewalld {

-        chain filter_INPUT_ZONES_IFACES {

             iifname "dummy1" goto filter_IN_public

             iifname "dummy0" goto filter_IN_work

             goto filter_IN_public

@@ -59,13 +51,6 @@ NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl

         chain filter_FORWARD_IN_ZONES {

             ip6 saddr dead:beef::/54 goto filter_FWDI_public

             ip saddr 1.2.3.0/24 goto filter_FWDI_work

-            goto filter_FORWARD_IN_ZONES_IFACES

-        }

-    }

-])

-NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_IFACES], 0, [dnl

-    table inet firewalld {

-        chain filter_FORWARD_IN_ZONES_IFACES {

             iifname "dummy1" goto filter_FWDI_public

             iifname "dummy0" goto filter_FWDI_work

             goto filter_FWDI_public

@@ -77,13 +62,6 @@ NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl

         chain filter_FORWARD_OUT_ZONES {

             ip6 daddr dead:beef::/54 goto filter_FWDO_public

             ip daddr 1.2.3.0/24 goto filter_FWDO_work

-            goto filter_FORWARD_OUT_ZONES_IFACES

-        }

-    }

-])

-NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_IFACES], 0, [dnl

-    table inet firewalld {

-        chain filter_FORWARD_OUT_ZONES_IFACES {

             oifname "dummy1" goto filter_FWDO_public

             oifname "dummy0" goto filter_FWDO_work

             goto filter_FWDO_public

@@ -106,13 +84,6 @@ NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl

         chain raw_PREROUTING_ZONES {

             ip6 saddr dead:beef::/54 goto raw_PRE_public

             ip saddr 1.2.3.0/24 goto raw_PRE_work

-            goto raw_PREROUTING_ZONES_IFACES

-        }

-    }

-])

-NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_IFACES], 0, [dnl

-    table inet firewalld {

-        chain raw_PREROUTING_ZONES_IFACES {

             iifname "dummy1" goto raw_PRE_public

             iifname "dummy0" goto raw_PRE_work

             goto raw_PRE_public

@@ -131,13 +102,6 @@ NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl

         chain mangle_PREROUTING_ZONES {

             ip6 saddr dead:beef::/54 goto mangle_PRE_public

             ip saddr 1.2.3.0/24 goto mangle_PRE_work

-            goto mangle_PREROUTING_ZONES_IFACES

-        }

-    }

-])

-NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_IFACES], 0, [dnl

-    table inet firewalld {

-        chain mangle_PREROUTING_ZONES_IFACES {

             iifname "dummy1" goto mangle_PRE_public

             iifname "dummy0" goto mangle_PRE_work

             goto mangle_PRE_public

@@ -155,13 +119,6 @@ NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl

     table ip firewalld {

         chain nat_PREROUTING_ZONES {

             ip saddr 1.2.3.0/24 goto nat_PRE_work

-            goto nat_PREROUTING_ZONES_IFACES

-        }

-    }

-])

-NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_IFACES], 0, [dnl

-    table ip firewalld {

-        chain nat_PREROUTING_ZONES_IFACES {

             iifname "dummy1" goto nat_PRE_public

             iifname "dummy0" goto nat_PRE_work

             goto nat_PRE_public

@@ -179,13 +136,6 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl

     table ip firewalld {

         chain nat_POSTROUTING_ZONES {

             ip daddr 1.2.3.0/24 goto nat_POST_work

-            goto nat_POSTROUTING_ZONES_IFACES

-        }

-    }

-])

-NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl

-    table ip firewalld {

-        chain nat_POSTROUTING_ZONES_IFACES {

             oifname "dummy1" goto nat_POST_public

             oifname "dummy0" goto nat_POST_work

             goto nat_POST_public

@@ -203,13 +153,6 @@ NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl

     table ip6 firewalld {

         chain nat_PREROUTING_ZONES {

             ip6 saddr dead:beef::/54 goto nat_PRE_public

-            goto nat_PREROUTING_ZONES_IFACES

-        }

-    }

-])

-NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_IFACES], 0, [dnl

-    table ip6 firewalld {

-        chain nat_PREROUTING_ZONES_IFACES {

             iifname "dummy1" goto nat_PRE_public

             iifname "dummy0" goto nat_PRE_work

             goto nat_PRE_public

@@ -227,20 +170,12 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl

     table ip6 firewalld {

         chain nat_POSTROUTING_ZONES {

             ip6 daddr dead:beef::/54 goto nat_POST_public

-            goto nat_POSTROUTING_ZONES_IFACES

-        }

-    }

-])

-NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl

-    table ip firewalld {

-        chain nat_POSTROUTING_ZONES_IFACES {

             oifname "dummy1" goto nat_POST_public

             oifname "dummy0" goto nat_POST_work

             goto nat_POST_public

         }

     }

 ])

-], [

 IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl

     ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT

@@ -250,15 +185,12 @@ IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl

     DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID

     REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

 ])

-IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [dnl

-    IN_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@

-    INPUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-])

-IPTABLES_LIST_RULES([filter], [INPUT_ZONES_IFACES], 0, [dnl

-    IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    IN_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-])

+IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,

+  [[IN_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]

+    IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+    IN_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+    IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+]])

 IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl

     ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT

     ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

@@ -268,77 +200,58 @@ IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl

     DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID

     REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

 ])

-IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [dnl

-    FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@

-    FORWARD_IN_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-])

-IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_IFACES], 0, [dnl

-    FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-])

-IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [dnl

-    FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@

-    FORWARD_OUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-])

-IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_IFACES], 0, [dnl

-    FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-])

+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,

+  [[FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]

+    FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+    FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+    FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+]])

+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,

+  [[FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 [goto]

+    FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+    FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+    FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+]])

 IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl

     PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0

     PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0

 ])

-IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [dnl

-    PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@

-    PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-])

-IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_IFACES], 0, [dnl

-    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-])

+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,

+  [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]

+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+]])

 IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl

     PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0

     PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0

 ])

-IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [dnl

-    PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@

-    PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-])

-IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_IFACES], 0, [dnl

-    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-])

+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,

+  [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]

+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+]])

 IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl

     PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0

     PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0

 ])

-IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [dnl

-    PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@

-    PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-])

-IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_IFACES], 0, [dnl

-    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-])

+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,

+  [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]

+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

+]])

 IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl

     POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0

     POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0

 ])

-IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [dnl

-    POST_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@

-    POSTROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-])

-IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_IFACES], 0, [dnl

-    POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    POST_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

-    POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@