Blame SOURCES/0060-test-add-coverage-for-258-and-441.patch

c8bceb
From 959584ced5e1c1853b62ff5e15c3e9fa49837ea4 Mon Sep 17 00:00:00 2001
c8bceb
From: Eric Garver <eric@garver.life>
c8bceb
Date: Thu, 30 May 2019 16:16:51 -0400
c8bceb
Subject: [PATCH 60/73] test: add coverage for #258 and #441
c8bceb
c8bceb
(cherry picked from commit 0c49548a4954a0c5f2a982fd3a46b135afa74965)
c8bceb
(cherry picked from commit 87235daf6290eba20c38178edca6c9bd7475caf3)
c8bceb
---
c8bceb
 src/tests/regression.at       |   1 +
c8bceb
 src/tests/regression/gh258.at | 441 ++++++++++++++++++++++++++++++++++
c8bceb
 2 files changed, 442 insertions(+)
c8bceb
 create mode 100644 src/tests/regression/gh258.at
c8bceb
c8bceb
diff --git a/src/tests/regression.at b/src/tests/regression.at
c8bceb
index 8bcb576238e6..00690fc6459e 100644
c8bceb
--- a/src/tests/regression.at
c8bceb
+++ b/src/tests/regression.at
c8bceb
@@ -19,3 +19,4 @@ m4_include([regression/gh335.at])
c8bceb
 m4_include([regression/gh482.at])
c8bceb
 m4_include([regression/gh478.at])
c8bceb
 m4_include([regression/gh453.at])
c8bceb
+m4_include([regression/gh258.at])
c8bceb
diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
c8bceb
new file mode 100644
c8bceb
index 000000000000..d0c4f2fa7432
c8bceb
--- /dev/null
c8bceb
+++ b/src/tests/regression/gh258.at
c8bceb
@@ -0,0 +1,441 @@
c8bceb
+FWD_START_TEST([zone dispatch layout])
c8bceb
+AT_KEYWORDS(zone gh258 gh441)
c8bceb
+
c8bceb
+FWD_CHECK([--zone=work --add-source="1.2.3.0/24"], 0, ignore)
c8bceb
+IF_IPV6_SUPPORTED([
c8bceb
+FWD_CHECK([--zone=public --add-source="dead:beef::/54"], 0, ignore)
c8bceb
+])
c8bceb
+FWD_CHECK([--zone=work --add-interface=dummy0], 0, ignore)
c8bceb
+FWD_CHECK([--zone=public --add-interface=dummy1], 0, ignore)
c8bceb
+
c8bceb
+dnl verify layout of zone dispatch
c8bceb
+m4_if(nftables, FIREWALL_BACKEND, [
c8bceb
+NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain filter_INPUT {
c8bceb
+            ct state established,related accept
c8bceb
+            iifname "lo" accept
c8bceb
+            jump filter_INPUT_ZONES
c8bceb
+            ct state invalid drop
c8bceb
+            reject with icmpx type admin-prohibited
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain filter_INPUT_ZONES {
c8bceb
+            ip6 saddr dead:beef::/54 goto filter_IN_public
c8bceb
+            ip saddr 1.2.3.0/24 goto filter_IN_work
c8bceb
+            goto filter_INPUT_ZONES_IFACES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES_IFACES], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain filter_INPUT_ZONES_IFACES {
c8bceb
+            iifname "dummy1" goto filter_IN_public
c8bceb
+            iifname "dummy0" goto filter_IN_work
c8bceb
+            goto filter_IN_public
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain filter_FORWARD {
c8bceb
+            ct state established,related accept
c8bceb
+            iifname "lo" accept
c8bceb
+            jump filter_FORWARD_IN_ZONES
c8bceb
+            jump filter_FORWARD_OUT_ZONES
c8bceb
+            ct state invalid drop
c8bceb
+            reject with icmpx type admin-prohibited
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain filter_FORWARD_IN_ZONES {
c8bceb
+            ip6 saddr dead:beef::/54 goto filter_FWDI_public
c8bceb
+            ip saddr 1.2.3.0/24 goto filter_FWDI_work
c8bceb
+            goto filter_FORWARD_IN_ZONES_IFACES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_IFACES], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain filter_FORWARD_IN_ZONES_IFACES {
c8bceb
+            iifname "dummy1" goto filter_FWDI_public
c8bceb
+            iifname "dummy0" goto filter_FWDI_work
c8bceb
+            goto filter_FWDI_public
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain filter_FORWARD_OUT_ZONES {
c8bceb
+            ip6 daddr dead:beef::/54 goto filter_FWDO_public
c8bceb
+            ip daddr 1.2.3.0/24 goto filter_FWDO_work
c8bceb
+            goto filter_FORWARD_OUT_ZONES_IFACES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_IFACES], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain filter_FORWARD_OUT_ZONES_IFACES {
c8bceb
+            oifname "dummy1" goto filter_FWDO_public
c8bceb
+            oifname "dummy0" goto filter_FWDO_work
c8bceb
+            goto filter_FWDO_public
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain raw_PREROUTING {
c8bceb
+            m4_if(yes, HOST_SUPPORTS_NFT_FIB, [dnl
c8bceb
+            icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
c8bceb
+            meta nfproto ipv6 fib saddr . iif oif missing drop
c8bceb
+            ])dnl
c8bceb
+            jump raw_PREROUTING_ZONES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain raw_PREROUTING_ZONES {
c8bceb
+            ip6 saddr dead:beef::/54 goto raw_PRE_public
c8bceb
+            ip saddr 1.2.3.0/24 goto raw_PRE_work
c8bceb
+            goto raw_PREROUTING_ZONES_IFACES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain raw_PREROUTING_ZONES_IFACES {
c8bceb
+            iifname "dummy1" goto raw_PRE_public
c8bceb
+            iifname "dummy0" goto raw_PRE_work
c8bceb
+            goto raw_PRE_public
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([inet], [mangle_PREROUTING], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain mangle_PREROUTING {
c8bceb
+            jump mangle_PREROUTING_ZONES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain mangle_PREROUTING_ZONES {
c8bceb
+            ip6 saddr dead:beef::/54 goto mangle_PRE_public
c8bceb
+            ip saddr 1.2.3.0/24 goto mangle_PRE_work
c8bceb
+            goto mangle_PREROUTING_ZONES_IFACES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    table inet firewalld {
c8bceb
+        chain mangle_PREROUTING_ZONES_IFACES {
c8bceb
+            iifname "dummy1" goto mangle_PRE_public
c8bceb
+            iifname "dummy0" goto mangle_PRE_work
c8bceb
+            goto mangle_PRE_public
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl
c8bceb
+    table ip firewalld {
c8bceb
+        chain nat_PREROUTING {
c8bceb
+            jump nat_PREROUTING_ZONES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl
c8bceb
+    table ip firewalld {
c8bceb
+        chain nat_PREROUTING_ZONES {
c8bceb
+            ip saddr 1.2.3.0/24 goto nat_PRE_work
c8bceb
+            goto nat_PREROUTING_ZONES_IFACES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    table ip firewalld {
c8bceb
+        chain nat_PREROUTING_ZONES_IFACES {
c8bceb
+            iifname "dummy1" goto nat_PRE_public
c8bceb
+            iifname "dummy0" goto nat_PRE_work
c8bceb
+            goto nat_PRE_public
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl
c8bceb
+    table ip firewalld {
c8bceb
+        chain nat_POSTROUTING {
c8bceb
+            jump nat_POSTROUTING_ZONES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
c8bceb
+    table ip firewalld {
c8bceb
+        chain nat_POSTROUTING_ZONES {
c8bceb
+            ip daddr 1.2.3.0/24 goto nat_POST_work
c8bceb
+            goto nat_POSTROUTING_ZONES_IFACES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    table ip firewalld {
c8bceb
+        chain nat_POSTROUTING_ZONES_IFACES {
c8bceb
+            oifname "dummy1" goto nat_POST_public
c8bceb
+            oifname "dummy0" goto nat_POST_work
c8bceb
+            goto nat_POST_public
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([ip6], [nat_PREROUTING], 0, [dnl
c8bceb
+    table ip6 firewalld {
c8bceb
+        chain nat_PREROUTING {
c8bceb
+            jump nat_PREROUTING_ZONES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl
c8bceb
+    table ip6 firewalld {
c8bceb
+        chain nat_PREROUTING_ZONES {
c8bceb
+            ip6 saddr dead:beef::/54 goto nat_PRE_public
c8bceb
+            goto nat_PREROUTING_ZONES_IFACES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    table ip6 firewalld {
c8bceb
+        chain nat_PREROUTING_ZONES_IFACES {
c8bceb
+            iifname "dummy1" goto nat_PRE_public
c8bceb
+            iifname "dummy0" goto nat_PRE_work
c8bceb
+            goto nat_PRE_public
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([ip6], [nat_POSTROUTING], 0, [dnl
c8bceb
+    table ip6 firewalld {
c8bceb
+        chain nat_POSTROUTING {
c8bceb
+            jump nat_POSTROUTING_ZONES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
c8bceb
+    table ip6 firewalld {
c8bceb
+        chain nat_POSTROUTING_ZONES {
c8bceb
+            ip6 daddr dead:beef::/54 goto nat_POST_public
c8bceb
+            goto nat_POSTROUTING_ZONES_IFACES
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    table ip firewalld {
c8bceb
+        chain nat_POSTROUTING_ZONES_IFACES {
c8bceb
+            oifname "dummy1" goto nat_POST_public
c8bceb
+            oifname "dummy0" goto nat_POST_work
c8bceb
+            goto nat_POST_public
c8bceb
+        }
c8bceb
+    }
c8bceb
+])
c8bceb
+], [
c8bceb
+
c8bceb
+IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
c8bceb
+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
c8bceb
+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+    INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+    INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
c8bceb
+    REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [dnl
c8bceb
+    IN_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    INPUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES_IFACES], 0, [dnl
c8bceb
+    IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    IN_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
c8bceb
+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
c8bceb
+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+    FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+    FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+    FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
c8bceb
+    REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [dnl
c8bceb
+    FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    FORWARD_IN_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_IFACES], 0, [dnl
c8bceb
+    FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [dnl
c8bceb
+    FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@
c8bceb
+    FORWARD_OUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_IFACES], 0, [dnl
c8bceb
+    FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
c8bceb
+    PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+    PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [dnl
c8bceb
+    PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
c8bceb
+    PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+    PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [dnl
c8bceb
+    PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
c8bceb
+    PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+    PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [dnl
c8bceb
+    PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
c8bceb
+    POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+    POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [dnl
c8bceb
+    POST_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@
c8bceb
+    POSTROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    POST_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+    POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+
c8bceb
+
c8bceb
+IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
c8bceb
+    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED
c8bceb
+    ACCEPT all ::/0 ::/0
c8bceb
+    INPUT_direct all ::/0 ::/0
c8bceb
+    INPUT_ZONES all ::/0 ::/0
c8bceb
+    DROP all ::/0 ::/0 ctstate INVALID
c8bceb
+    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [dnl
c8bceb
+    IN_public all dead:beef::/54 ::/0 @<:@goto@:>@
c8bceb
+    INPUT_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_IFACES], 0, [dnl
c8bceb
+    IN_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    IN_work all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    IN_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
c8bceb
+    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED
c8bceb
+    ACCEPT all ::/0 ::/0
c8bceb
+    FORWARD_direct all ::/0 ::/0
c8bceb
+    FORWARD_IN_ZONES all ::/0 ::/0
c8bceb
+    FORWARD_OUT_ZONES all ::/0 ::/0
c8bceb
+    DROP all ::/0 ::/0 ctstate INVALID
c8bceb
+    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [dnl
c8bceb
+    FWDI_public all dead:beef::/54 ::/0 @<:@goto@:>@
c8bceb
+    FORWARD_IN_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_IFACES], 0, [dnl
c8bceb
+    FWDI_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    FWDI_work all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    FWDI_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [dnl
c8bceb
+    FWDO_public all ::/0 dead:beef::/54 @<:@goto@:>@
c8bceb
+    FORWARD_OUT_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_IFACES], 0, [dnl
c8bceb
+    FWDO_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    FWDO_work all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    FWDO_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
c8bceb
+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
c8bceb
+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
c8bceb
+    DROP all ::/0 ::/0 rpfilter invert
c8bceb
+    PREROUTING_direct all ::/0 ::/0
c8bceb
+    PREROUTING_ZONES all ::/0 ::/0
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [dnl
c8bceb
+    PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@
c8bceb
+    PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    PRE_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    PRE_work all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    PRE_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
c8bceb
+    PREROUTING_direct all ::/0 ::/0
c8bceb
+    PREROUTING_ZONES all ::/0 ::/0
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [dnl
c8bceb
+    PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@
c8bceb
+    PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    PRE_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    PRE_work all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    PRE_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
c8bceb
+    PREROUTING_direct all ::/0 ::/0
c8bceb
+    PREROUTING_ZONES all ::/0 ::/0
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [dnl
c8bceb
+    PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@
c8bceb
+    PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    PRE_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    PRE_work all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    PRE_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
c8bceb
+    POSTROUTING_direct all ::/0 ::/0
c8bceb
+    POSTROUTING_ZONES all ::/0 ::/0
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [dnl
c8bceb
+    POST_public all ::/0 dead:beef::/54 @<:@goto@:>@
c8bceb
+    POSTROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_IFACES], 0, [dnl
c8bceb
+    POST_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    POST_work all ::/0 ::/0 @<:@goto@:>@
c8bceb
+    POST_public all ::/0 ::/0 @<:@goto@:>@
c8bceb
+])
c8bceb
+])
c8bceb
+
c8bceb
+FWD_END_TEST
c8bceb
-- 
c8bceb
2.20.1
c8bceb