diff --git a/SOURCES/0123-feat-AllowZoneDrifting-config-option.patch b/SOURCES/0123-feat-AllowZoneDrifting-config-option.patch
new file mode 100644
index 0000000..365625c
--- /dev/null
+++ b/SOURCES/0123-feat-AllowZoneDrifting-config-option.patch
@@ -0,0 +1,291 @@
+From d43540044023331f053437c2b95fbef49592fcd6 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Sun, 19 Jan 2020 14:13:36 -0500
+Subject: [PATCH 123/127] feat: AllowZoneDrifting config option
+
+Older versions of firewalld had undocumented behavior known as "zone
+drifting". This allowed packets to ingress multiple zones - this is a
+violation of zone based firewalls. However, some users rely on this
+behavior to have a "catch-all" zone, e.g. the default zone. You can
+enable this if you desire such behavior. It's disabled by default for
+security reasons.
+
+Note: If "yes" packets will only drift from source based zones to
+interface based zones (including the default zone). Packets never drift
+from interface based zones to other interfaces based zones (including
+the default zone).
+
+(cherry picked from commit afadd377b09dc62b340d24bcf891d31f040d1a18)
+(cherry picked from commit 3bbd15a5317b59e175e2a060d1a6ecf4c2129b32)
+---
+ config/firewalld.conf | 12 ++++++++++++
+ doc/xml/firewalld.conf.xml | 19 +++++++++++++++++++
+ doc/xml/firewalld.dbus.xml | 16 ++++++++++++++++
+ src/firewall/config/__init__.py.in | 1 +
+ src/firewall/core/fw.py | 14 ++++++++++++++
+ src/firewall/core/io/firewalld_conf.py | 13 +++++++++++--
+ src/firewall/server/config.py | 20 +++++++++++++++++---
+ src/tests/dbus/firewalld.conf.at | 3 +++
+ 8 files changed, 93 insertions(+), 5 deletions(-)
+
+diff --git a/config/firewalld.conf b/config/firewalld.conf
+index 63df409bf567..02be07b9b892 100644
+--- a/config/firewalld.conf
++++ b/config/firewalld.conf
+@@ -55,3 +55,15 @@ LogDenied=off
+ # will be used. Possible values are: yes, no and system.
+ # Default: system
+ AutomaticHelpers=system
++
++# AllowZoneDrifting
++# Older versions of firewalld had undocumented behavior known as "zone
++# drifting". This allowed packets to ingress multiple zones - this is a
++# violation of zone based firewalls. However, some users rely on this behavior
++# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
++# desire such behavior. It's disabled by default for security reasons.
++# Note: If "yes" packets will only drift from source based zones to interface
++# based zones (including the default zone). Packets never drift from interface
++# based zones to other interfaces based zones (including the default zone).
++# Possible values; "yes", "no". Defaults to "no".
++AllowZoneDrifting=no
+diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
+index afb94b90937f..9d8017df3112 100644
+--- a/doc/xml/firewalld.conf.xml
++++ b/doc/xml/firewalld.conf.xml
+@@ -144,6 +144,25 @@
+ </listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term><option>AllowZoneDrifting</option></term>
++ <listitem>
++ <para>
++ Older versions of firewalld had undocumented behavior known
++ as "zone drifting". This allowed packets to ingress multiple
++ zones - this is a violation of zone based firewalls. However,
++ some users rely on this behavior to have a "catch-all" zone,
++ e.g. the default zone. You can enable this if you desire such
++ behavior. It's disabled by default for security reasons.
++ Note: If "yes" packets will only drift from source based zones
++ to interface based zones (including the default zone). Packets
++ never drift from interface based zones to other interfaces
++ based zones (including the default zone).
++ Valid values; "yes", "no". Defaults to "no".
++ </para>
++ </listitem>
++ </varlistentry>
++
+ </variablelist>
+
+ </refsect1>
+diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
+index ec82d4cad077..ea0be9cefd1c 100644
+--- a/doc/xml/firewalld.dbus.xml
++++ b/doc/xml/firewalld.dbus.xml
+@@ -2558,6 +2558,22 @@
+ <refsect3 id="FirewallD1.config.Properties">
+ <title>Properties</title>
+ <variablelist>
++ <varlistentry id="FirewallD1.config.Properties.AllowZoneDrifting">
++ <term><parameter>AllowZoneDrifting</parameter> - s - (rw)</term>
++ <listitem><para>
++ Older versions of firewalld had undocumented behavior known
++ as "zone drifting". This allowed packets to ingress multiple
++ zones - this is a violation of zone based firewalls. However,
++ some users rely on this behavior to have a "catch-all" zone,
++ e.g. the default zone. You can enable this if you desire such
++ behavior. It's disabled by default for security reasons.
++ Note: If "yes" packets will only drift from source based zones
++ to interface based zones (including the default zone). Packets
++ never drift from interface based zones to other interfaces
++ based zones (including the default zone).
++ Valid values; "yes", "no". Defaults to "no".
++ </para></listitem>
++ </varlistentry>
+ <varlistentry id="FirewallD1.config.Properties.AutomaticHelpers">
+ <term>AutomaticHelpers - s - (rw)</term>
+ <listitem>
+diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
+index 1b2168bde44d..3926c8fdb3a3 100644
+--- a/src/firewall/config/__init__.py.in
++++ b/src/firewall/config/__init__.py.in
+@@ -128,3 +128,4 @@ FALLBACK_INDIVIDUAL_CALLS = False
+ FALLBACK_LOG_DENIED = "off"
+ FALLBACK_AUTOMATIC_HELPERS = "system"
+ FALLBACK_FIREWALL_BACKEND = "iptables"
++FALLBACK_ALLOW_ZONE_DRIFTING = False
+diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
+index b1643a1ebff4..5d3cf6e6ce44 100644
+--- a/src/firewall/core/fw.py
++++ b/src/firewall/core/fw.py
+@@ -114,6 +114,7 @@ class Firewall(object):
+ self._automatic_helpers = config.FALLBACK_AUTOMATIC_HELPERS
+ self._firewall_backend = config.FALLBACK_FIREWALL_BACKEND
+ self.nf_conntrack_helper_setting = 0
++ self._allow_zone_drifting = config.FALLBACK_ALLOW_ZONE_DRIFTING
+
+ def individual_calls(self):
+ return self._individual_calls
+@@ -269,6 +270,19 @@ class Firewall(object):
+ log.debug1("AutomaticHelpers is set to '%s'",
+ self._automatic_helpers)
+
++ if self._firewalld_conf.get("AllowZoneDrifting"):
++ value = self._firewalld_conf.get("AllowZoneDrifting")
++ if value.lower() in [ "no", "false" ]:
++ self._allow_zone_drifting = False
++ else:
++ self._allow_zone_drifting = True
++ log.warning("AllowZoneDrifting is enabled. This is considered "
++ "an insecure configuration option. It will be "
++ "removed in a future release. Please consider "
++ "disabling it now.")
++ log.debug1("AllowZoneDrifting is set to '%s'",
++ self._allow_zone_drifting)
++
+ self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
+
+ self._select_firewall_backend(self._firewall_backend)
+diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
+index 9aee2dc6f9b7..a640d8e2f201 100644
+--- a/src/firewall/core/io/firewalld_conf.py
++++ b/src/firewall/core/io/firewalld_conf.py
+@@ -28,9 +28,9 @@ from firewall import config
+ from firewall.core.logger import log
+ from firewall.functions import b2u, u2b, PY2
+
+-valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
++valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
+ "IPv6_rpfilter", "IndividualCalls", "LogDenied",
+- "AutomaticHelpers" ]
++ "AutomaticHelpers", "AllowZoneDrifting" ]
+
+ class firewalld_conf(object):
+ def __init__(self, filename):
+@@ -79,6 +79,7 @@ class firewalld_conf(object):
+ self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no")
+ self.set("LogDenied", config.FALLBACK_LOG_DENIED)
+ self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS)
++ self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no")
+ raise
+
+ for line in f:
+@@ -174,6 +175,14 @@ class firewalld_conf(object):
+ config.FALLBACK_AUTOMATIC_HELPERS)
+ self.set("AutomaticHelpers", str(config.FALLBACK_AUTOMATIC_HELPERS))
+
++ value = self.get("AllowZoneDrifting")
++ if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
++ if value is not None:
++ log.warning("AllowZoneDrifting '%s' is not valid, using default "
++ "value %s", value if value else '',
++ config.FALLBACK_ALLOW_ZONE_DRIFTING)
++ self.set("AllowZoneDrifting", str(config.FALLBACK_ALLOW_ZONE_DRIFTING))
++
+ # save to self.filename if there are key/value changes
+ def write(self):
+ if len(self._config) < 1:
+diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
+index cd640ba881ca..86b4e4428748 100644
+--- a/src/firewall/server/config.py
++++ b/src/firewall/server/config.py
+@@ -105,6 +105,7 @@ class FirewallDConfig(slip.dbus.service.Object):
+ "IndividualCalls": "readwrite",
+ "LogDenied": "readwrite",
+ "AutomaticHelpers": "readwrite",
++ "AllowZoneDrifting": "readwrite",
+ })
+
+ @handle_exceptions
+@@ -484,7 +485,7 @@ class FirewallDConfig(slip.dbus.service.Object):
+ def _get_property(self, prop):
+ if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
+ "Lockdown", "IPv6_rpfilter", "IndividualCalls",
+- "LogDenied", "AutomaticHelpers" ]:
++ "LogDenied", "AutomaticHelpers", "AllowZoneDrifting"]:
+ raise dbus.exceptions.DBusException(
+ "org.freedesktop.DBus.Error.InvalidArgs: "
+ "Property '%s' does not exist" % prop)
+@@ -525,6 +526,10 @@ class FirewallDConfig(slip.dbus.service.Object):
+ if value is None:
+ value = config.FALLBACK_AUTOMATIC_HELPERS
+ return dbus.String(value)
++ elif prop == "AllowZoneDrifting":
++ if value is None:
++ value = "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no"
++ return dbus.String(value)
+
+ @dbus_handle_exceptions
+ def _get_dbus_property(self, prop):
+@@ -544,6 +549,8 @@ class FirewallDConfig(slip.dbus.service.Object):
+ return dbus.String(self._get_property(prop))
+ elif prop == "AutomaticHelpers":
+ return dbus.String(self._get_property(prop))
++ elif prop == "AllowZoneDrifting":
++ return dbus.String(self._get_property(prop))
+ else:
+ raise dbus.exceptions.DBusException(
+ "org.freedesktop.DBus.Error.InvalidArgs: "
+@@ -583,7 +590,7 @@ class FirewallDConfig(slip.dbus.service.Object):
+ if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
+ for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
+ "Lockdown", "IPv6_rpfilter", "IndividualCalls",
+- "LogDenied", "AutomaticHelpers" ]:
++ "LogDenied", "AutomaticHelpers", "AllowZoneDrifting" ]:
+ ret[x] = self._get_property(x)
+ elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
+ config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]:
+@@ -609,7 +616,8 @@ class FirewallDConfig(slip.dbus.service.Object):
+ if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
+ if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown",
+ "IPv6_rpfilter", "IndividualCalls",
+- "LogDenied", "AutomaticHelpers" ]:
++ "LogDenied", "AutomaticHelpers",
++ "AllowZoneDrifting" ]:
+ if property_name == "MinimalMark":
+ try:
+ int(new_value)
+@@ -638,6 +646,12 @@ class FirewallDConfig(slip.dbus.service.Object):
+ raise FirewallError(errors.INVALID_VALUE,
+ "'%s' for %s" % \
+ (new_value, property_name))
++ if property_name == "AllowZoneDrifting":
++ if new_value.lower() not in ["yes", "true", "no", "false"]:
++ raise FirewallError(errors.INVALID_VALUE,
++ "'%s' for %s" % \
++ (new_value, property_name))
++
+ self.config.get_firewalld_conf().set(property_name, new_value)
+ self.config.get_firewalld_conf().write()
+ self.PropertiesChanged(interface_name,
+diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
+index 05eb3dd5f650..0884e21b6368 100644
+--- a/src/tests/dbus/firewalld.conf.at
++++ b/src/tests/dbus/firewalld.conf.at
+@@ -3,6 +3,7 @@ FWD_START_TEST([firewalld.conf])
+ dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
+ IF_HOST_SUPPORTS_NFT_FIB([
+ DBUS_GETALL([config], [config], 0, [dnl
++string "AllowZoneDrifting" : variant string "no"
+ string "AutomaticHelpers" : variant string "system"
+ string "CleanupOnExit" : variant string "no"
+ string "DefaultZone" : variant string "public"
+@@ -13,6 +14,7 @@ string "LogDenied" : variant string "off"
+ string "MinimalMark" : variant int32 100
+ ])], [
+ DBUS_GETALL([config], [config], 0, [dnl
++string "AllowZoneDrifting" : variant string "no"
+ string "AutomaticHelpers" : variant string "system"
+ string "CleanupOnExit" : variant string "no"
+ string "DefaultZone" : variant string "public"
+@@ -39,6 +41,7 @@ _helper([LogDenied], [string:"all"], [variant string "all"])
+ _helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
+ _helper([IndividualCalls], [string:"yes"], [variant string "yes"])
+ _helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
++_helper([AllowZoneDrifting], [string:"yes"], [variant string "yes"])
+ dnl Note: DefaultZone is RO
+ m4_undefine([_helper])
+
+--
+2.23.0
+
diff --git a/SOURCES/0124-feat-nftables-support-AllowZoneDrifting-yes.patch b/SOURCES/0124-feat-nftables-support-AllowZoneDrifting-yes.patch
new file mode 100644
index 0000000..4bbb413
--- /dev/null
+++ b/SOURCES/0124-feat-nftables-support-AllowZoneDrifting-yes.patch
@@ -0,0 +1,125 @@
+From 62f42ba84c51cd836619ee2c11bd61802d1ff064 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Sun, 19 Jan 2020 14:37:31 -0500
+Subject: [PATCH 124/127] feat: nftables: support AllowZoneDrifting=yes
+
+(cherry picked from commit 517a061c5886f2ebfb4aa7d73804aa7f3c5a3004)
+(cherry picked from commit 618cd7e8612be216956aea278b798b32c067f933)
+---
+ src/firewall/core/nftables.py | 47 ++++++++++++++++++++++-------------
+ 1 file changed, 30 insertions(+), 17 deletions(-)
+
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 0317d820389f..a559dc64c466 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -199,8 +199,11 @@ class nftables(object):
+
+ index = zone_source_index_cache[family].index(zone_source)
+ else:
+- index = len(zone_source_index_cache[family])
+-
++ if self._fw._allow_zone_drifting:
++ index = 0
++ else:
++ index = len(zone_source_index_cache[family])
++
+ if index == 0:
+ rule[0] = "insert"
+ else:
+@@ -411,9 +414,10 @@ class nftables(object):
+ IPTABLES_TO_NFT_HOOK["raw"][chain][0],
+ IPTABLES_TO_NFT_HOOK["raw"][chain][1]))
+
+- default_rules.append("add chain inet %s raw_%s_ZONES" % (TABLE_NAME, chain))
+- default_rules.append("add rule inet %s raw_%s jump raw_%s_ZONES" % (TABLE_NAME, chain, chain))
+- OUR_CHAINS["inet"]["raw"].update(set(["%s_ZONES" % chain]))
++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
++ default_rules.append("add chain inet %s raw_%s_%s" % (TABLE_NAME, chain, dispatch_suffix))
++ default_rules.append("add rule inet %s raw_%s jump raw_%s_%s" % (TABLE_NAME, chain, chain, dispatch_suffix))
++ OUR_CHAINS["inet"]["raw"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
+
+ OUR_CHAINS["inet"]["mangle"] = set()
+ for chain in IPTABLES_TO_NFT_HOOK["mangle"].keys():
+@@ -422,9 +426,10 @@ class nftables(object):
+ IPTABLES_TO_NFT_HOOK["mangle"][chain][0],
+ IPTABLES_TO_NFT_HOOK["mangle"][chain][1]))
+
+- default_rules.append("add chain inet %s mangle_%s_ZONES" % (TABLE_NAME, chain))
+- default_rules.append("add rule inet %s mangle_%s jump mangle_%s_ZONES" % (TABLE_NAME, chain, chain))
+- OUR_CHAINS["inet"]["mangle"].update(set(["%s_ZONES" % chain]))
++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
++ default_rules.append("add chain inet %s mangle_%s_%s" % (TABLE_NAME, chain, dispatch_suffix))
++ default_rules.append("add rule inet %s mangle_%s jump mangle_%s_%s" % (TABLE_NAME, chain, chain, dispatch_suffix))
++ OUR_CHAINS["inet"]["mangle"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
+
+ OUR_CHAINS["ip"]["nat"] = set()
+ OUR_CHAINS["ip6"]["nat"] = set()
+@@ -435,9 +440,10 @@ class nftables(object):
+ IPTABLES_TO_NFT_HOOK["nat"][chain][0],
+ IPTABLES_TO_NFT_HOOK["nat"][chain][1]))
+
+- default_rules.append("add chain %s %s nat_%s_ZONES" % (family, TABLE_NAME, chain))
+- default_rules.append("add rule %s %s nat_%s jump nat_%s_ZONES" % (family, TABLE_NAME, chain, chain))
+- OUR_CHAINS[family]["nat"].update(set(["%s_ZONES" % chain]))
++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
++ default_rules.append("add chain %s %s nat_%s_%s" % (family, TABLE_NAME, chain, dispatch_suffix))
++ default_rules.append("add rule %s %s nat_%s jump nat_%s_%s" % (family, TABLE_NAME, chain, chain, dispatch_suffix))
++ OUR_CHAINS[family]["nat"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
+
+ OUR_CHAINS["inet"]["filter"] = set()
+ for chain in IPTABLES_TO_NFT_HOOK["filter"].keys():
+@@ -447,10 +453,11 @@ class nftables(object):
+ IPTABLES_TO_NFT_HOOK["filter"][chain][1]))
+
+ # filter, INPUT
+- default_rules.append("add chain inet %s filter_%s_ZONES" % (TABLE_NAME, "INPUT"))
+ default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "INPUT"))
+ default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "INPUT"))
+- default_rules.append("add rule inet %s filter_%s jump filter_%s_ZONES" % (TABLE_NAME, "INPUT", "INPUT"))
++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
++ default_rules.append("add chain inet %s filter_%s_%s" % (TABLE_NAME, "INPUT", dispatch_suffix))
++ default_rules.append("add rule inet %s filter_%s jump filter_%s_%s" % (TABLE_NAME, "INPUT", "INPUT", dispatch_suffix))
+ if log_denied != "off":
+ default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "INPUT"))
+ default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "INPUT"))
+@@ -460,11 +467,12 @@ class nftables(object):
+
+ # filter, FORWARD
+ default_rules.append("add chain inet %s filter_%s_IN_ZONES" % (TABLE_NAME, "FORWARD"))
+- default_rules.append("add chain inet %s filter_%s_OUT_ZONES" % (TABLE_NAME, "FORWARD"))
+ default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "FORWARD"))
+ default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "FORWARD"))
+- default_rules.append("add rule inet %s filter_%s jump filter_%s_IN_ZONES" % (TABLE_NAME, "FORWARD", "FORWARD"))
+- default_rules.append("add rule inet %s filter_%s jump filter_%s_OUT_ZONES" % (TABLE_NAME, "FORWARD", "FORWARD"))
++ for direction in ["IN", "OUT"]:
++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
++ default_rules.append("add chain inet %s filter_%s_%s_%s" % (TABLE_NAME, "FORWARD", direction, dispatch_suffix))
++ default_rules.append("add rule inet %s filter_%s jump filter_%s_%s_%s" % (TABLE_NAME, "FORWARD", "FORWARD", direction, dispatch_suffix))
+ if log_denied != "off":
+ default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "FORWARD"))
+ default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "FORWARD"))
+@@ -566,6 +574,11 @@ class nftables(object):
+ "OUTPUT": "daddr",
+ }[chain]
+
++ if self._fw._allow_zone_drifting:
++ zone_dispatch_chain = "%s_%s_ZONES_SOURCE" % (table, chain)
++ else:
++ zone_dispatch_chain = "%s_%s_ZONES" % (table, chain)
++
+ target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
+ action = "goto"
+
+@@ -585,7 +598,7 @@ class nftables(object):
+ rule_family = "ip6"
+
+ rule = [add_del, "rule", family, "%s" % TABLE_NAME,
+- "%s_%s_ZONES" % (table, chain),
++ zone_dispatch_chain,
+ "%%ZONE_SOURCE%%", zone,
+ rule_family, opt, address, action, "%s_%s" % (table, target)]
+ return [rule]
+--
+2.23.0
+
diff --git a/SOURCES/0125-feat-ipXtables-support-AllowZoneDrifting-yes.patch b/SOURCES/0125-feat-ipXtables-support-AllowZoneDrifting-yes.patch
new file mode 100644
index 0000000..daea599
--- /dev/null
+++ b/SOURCES/0125-feat-ipXtables-support-AllowZoneDrifting-yes.patch
@@ -0,0 +1,178 @@
+From 232d0b6547bcbc5c213741deb721ff453f5e9e8d Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Sun, 19 Jan 2020 16:16:59 -0500
+Subject: [PATCH 125/127] feat: ipXtables: support AllowZoneDrifting=yes
+
+(cherry picked from commit 1f7b5ffcd40daf2a7f2ef1ec0cccb95080e74fb6)
+(cherry picked from commit bc274c9bcf8b704338a1c597f580cf2c85f9fbac)
+---
+ src/firewall/core/ipXtables.py | 93 +++++++++++++++++++---------------
+ 1 file changed, 51 insertions(+), 42 deletions(-)
+
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index b0a4c5e1c161..8f39fecc6132 100644
+--- a/src/firewall/core/ipXtables.py
++++ b/src/firewall/core/ipXtables.py
+@@ -321,8 +321,11 @@ class ip4tables(object):
+
+ index = zone_source_index_cache.index(zone_source)
+ else:
+- index = len(zone_source_index_cache)
+-
++ if self._fw._allow_zone_drifting:
++ index = 0
++ else:
++ index = len(zone_source_index_cache)
++
+ rule[0] = "-I"
+ rule.insert(2, "%d" % (index + 1))
+
+@@ -577,9 +580,10 @@ class ip4tables(object):
+ self.our_chains["raw"].add("%s_direct" % chain)
+
+ if chain == "PREROUTING":
+- default_rules["raw"].append("-N %s_ZONES" % chain)
+- default_rules["raw"].append("-A %s -j %s_ZONES" % (chain, chain))
+- self.our_chains["raw"].update(set(["%s_ZONES" % chain]))
++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
++ default_rules["raw"].append("-N %s_%s" % (chain, dispatch_suffix))
++ default_rules["raw"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix))
++ self.our_chains["raw"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
+
+ if self.get_available_tables("mangle"):
+ default_rules["mangle"] = [ ]
+@@ -590,9 +594,10 @@ class ip4tables(object):
+ self.our_chains["mangle"].add("%s_direct" % chain)
+
+ if chain == "PREROUTING":
+- default_rules["mangle"].append("-N %s_ZONES" % chain)
+- default_rules["mangle"].append("-A %s -j %s_ZONES" % (chain, chain))
+- self.our_chains["mangle"].update(set(["%s_ZONES" % chain]))
++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
++ default_rules["mangle"].append("-N %s_%s" % (chain, dispatch_suffix))
++ default_rules["mangle"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix))
++ self.our_chains["mangle"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
+
+ if self.get_available_tables("nat"):
+ default_rules["nat"] = [ ]
+@@ -603,19 +608,22 @@ class ip4tables(object):
+ self.our_chains["nat"].add("%s_direct" % chain)
+
+ if chain in [ "PREROUTING", "POSTROUTING" ]:
+- default_rules["nat"].append("-N %s_ZONES" % chain)
+- default_rules["nat"].append("-A %s -j %s_ZONES" % (chain, chain))
+- self.our_chains["nat"].update(set(["%s_ZONES" % chain]))
+-
+- default_rules["filter"] = [
+- "-N INPUT_direct",
+- "-N INPUT_ZONES",
+-
+- "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",
+- "-A INPUT -i lo -j ACCEPT",
+- "-A INPUT -j INPUT_direct",
+- "-A INPUT -j INPUT_ZONES",
+- ]
++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
++ default_rules["nat"].append("-N %s_%s" % (chain, dispatch_suffix))
++ default_rules["nat"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix))
++ self.our_chains["nat"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
++
++ default_rules["filter"] = []
++ self.our_chains["filter"] = set()
++ default_rules["filter"].append("-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT")
++ default_rules["filter"].append("-A INPUT -i lo -j ACCEPT")
++ default_rules["filter"].append("-N INPUT_direct")
++ default_rules["filter"].append("-A INPUT -j INPUT_direct")
++ self.our_chains["filter"].update(set("INPUT_direct"))
++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
++ default_rules["filter"].append("-N INPUT_%s" % (dispatch_suffix))
++ default_rules["filter"].append("-A INPUT -j INPUT_%s" % (dispatch_suffix))
++ self.our_chains["filter"].update(set("INPUT_%s" % (dispatch_suffix)))
+ if log_denied != "off":
+ default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
+ default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID -j DROP")
+@@ -623,17 +631,16 @@ class ip4tables(object):
+ default_rules["filter"].append("-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: '")
+ default_rules["filter"].append("-A INPUT -j %%REJECT%%")
+
+- default_rules["filter"] += [
+- "-N FORWARD_direct",
+- "-N FORWARD_IN_ZONES",
+- "-N FORWARD_OUT_ZONES",
+-
+- "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",
+- "-A FORWARD -i lo -j ACCEPT",
+- "-A FORWARD -j FORWARD_direct",
+- "-A FORWARD -j FORWARD_IN_ZONES",
+- "-A FORWARD -j FORWARD_OUT_ZONES",
+- ]
++ default_rules["filter"].append("-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT")
++ default_rules["filter"].append("-A FORWARD -i lo -j ACCEPT")
++ default_rules["filter"].append("-N FORWARD_direct")
++ default_rules["filter"].append("-A FORWARD -j FORWARD_direct")
++ self.our_chains["filter"].update(set("FORWARD_direct"))
++ for direction in ["IN", "OUT"]:
++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
++ default_rules["filter"].append("-N FORWARD_%s_%s" % (direction, dispatch_suffix))
++ default_rules["filter"].append("-A FORWARD -j FORWARD_%s_%s" % (direction, dispatch_suffix))
++ self.our_chains["filter"].update(set("FORWARD_%s_%s" % (direction, dispatch_suffix)))
+ if log_denied != "off":
+ default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
+ default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID -j DROP")
+@@ -647,10 +654,7 @@ class ip4tables(object):
+ "-A OUTPUT -o lo -j ACCEPT",
+ "-A OUTPUT -j OUTPUT_direct",
+ ]
+-
+- self.our_chains["filter"] = set(["INPUT_direct", "INPUT_ZONES",
+- "FORWARD_direct", "FORWARD_IN_ZONES",
+- "FORWARD_OUT_ZONES", "OUTPUT_direct"])
++ self.our_chains["filter"].update(set("OUTPUT_direct"))
+
+ final_default_rules = []
+ for table in default_rules:
+@@ -717,6 +721,11 @@ class ip4tables(object):
+ "OUTPUT": "-d",
+ }[chain]
+
++ if self._fw._allow_zone_drifting:
++ zone_dispatch_chain = "%s_ZONES_SOURCE" % (chain)
++ else:
++ zone_dispatch_chain = "%s_ZONES" % (chain)
++
+ target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
+ action = "-g"
+
+@@ -727,8 +736,8 @@ class ip4tables(object):
+ else:
+ opt = "src"
+ flags = ",".join([opt] * self._fw.ipset.get_dimension(name))
+- rule = [ add_del,
+- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,
++ rule = [ add_del, zone_dispatch_chain,
++ "%%ZONE_SOURCE%%", zone,
+ "-t", table,
+ "-m", "set", "--match-set", name,
+ flags, action, target ]
+@@ -737,14 +746,14 @@ class ip4tables(object):
+ # outgoing can not be set
+ if opt == "-d":
+ return ""
+- rule = [ add_del,
+- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,
++ rule = [ add_del, zone_dispatch_chain,
++ "%%ZONE_SOURCE%%", zone,
+ "-t", table,
+ "-m", "mac", "--mac-source", address.upper(),
+ action, target ]
+ else:
+- rule = [ add_del,
+- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,
++ rule = [ add_del, zone_dispatch_chain,
++ "%%ZONE_SOURCE%%", zone,
+ "-t", table,
+ opt, address, action, target ]
+ return [rule]
+--
+2.23.0
+
diff --git a/SOURCES/0126-test-verify-AllowZoneDrifting-yes.patch b/SOURCES/0126-test-verify-AllowZoneDrifting-yes.patch
new file mode 100644
index 0000000..6f0295a
--- /dev/null
+++ b/SOURCES/0126-test-verify-AllowZoneDrifting-yes.patch
@@ -0,0 +1,937 @@
+From b9224e74d5d06290827365bad8ca187c9d06fd49 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Sun, 19 Jan 2020 16:49:14 -0500
+Subject: [PATCH 126/127] test: verify AllowZoneDrifting=yes
+
+Verify the zone dispatch layout.
+
+(cherry picked from commit bca4e6af91fc4c6a55f7c2bce9e4fe7bcee526a1)
+(cherry picked from commit cd257ae4604b1666136ffb1e12924a5c1f74095f)
+---
+ src/tests/regression/gh258.at | 532 +++++++++++++++++++++++++---
+ src/tests/regression/rhbz1734765.at | 181 +++++++++-
+ 2 files changed, 668 insertions(+), 45 deletions(-)
+
+diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
+index 5671c37ba432..5c5c8db0126f 100644
+--- a/src/tests/regression/gh258.at
++++ b/src/tests/regression/gh258.at
+@@ -1,12 +1,15 @@
+ FWD_START_TEST([zone dispatch layout])
+-AT_KEYWORDS(zone gh258 gh441 rhbz1713823)
++AT_KEYWORDS(zone gh258 gh441 rhbz1713823 rhbz1772208 rhbz1796055)
+
+-FWD_CHECK([--zone=work --add-source="1.2.3.0/24"], 0, ignore)
++FWD_CHECK([--permanent --zone=trusted --add-source="1.2.3.0/24"], 0, ignore)
+ IF_HOST_SUPPORTS_IPV6_RULES([
+-FWD_CHECK([--zone=public --add-source="dead:beef::/54"], 0, ignore)
++FWD_CHECK([--permanent --zone=public --add-source="dead:beef::/54"], 0, ignore)
+ ])
+-FWD_CHECK([--zone=work --add-interface=dummy0], 0, ignore)
+-FWD_CHECK([--zone=public --add-interface=dummy1], 0, ignore)
++FWD_CHECK([--permanent --zone=trusted --add-interface=dummy0], 0, ignore)
++FWD_CHECK([--permanent --zone=public --add-interface=dummy1], 0, ignore)
++
++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
++FWD_RELOAD
+
+ dnl verify layout of zone dispatch
+ m4_if(nftables, FIREWALL_BACKEND, [
+@@ -25,9 +28,9 @@ NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
+ table inet firewalld {
+ chain filter_INPUT_ZONES {
+ ip6 saddr dead:beef::/54 goto filter_IN_public
+- ip saddr 1.2.3.0/24 goto filter_IN_work
++ ip saddr 1.2.3.0/24 goto filter_IN_trusted
++ iifname "dummy0" goto filter_IN_trusted
+ iifname "dummy1" goto filter_IN_public
+- iifname "dummy0" goto filter_IN_work
+ goto filter_IN_public
+ }
+ }
+@@ -48,9 +51,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD_IN_ZONES {
+ ip6 saddr dead:beef::/54 goto filter_FWDI_public
+- ip saddr 1.2.3.0/24 goto filter_FWDI_work
++ ip saddr 1.2.3.0/24 goto filter_FWDI_trusted
++ iifname "dummy0" goto filter_FWDI_trusted
+ iifname "dummy1" goto filter_FWDI_public
+- iifname "dummy0" goto filter_FWDI_work
+ goto filter_FWDI_public
+ }
+ }
+@@ -59,9 +62,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD_OUT_ZONES {
+ ip6 daddr dead:beef::/54 goto filter_FWDO_public
+- ip daddr 1.2.3.0/24 goto filter_FWDO_work
++ ip daddr 1.2.3.0/24 goto filter_FWDO_trusted
++ oifname "dummy0" goto filter_FWDO_trusted
+ oifname "dummy1" goto filter_FWDO_public
+- oifname "dummy0" goto filter_FWDO_work
+ goto filter_FWDO_public
+ }
+ }
+@@ -89,9 +92,9 @@ NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
+ table inet firewalld {
+ chain raw_PREROUTING_ZONES {
+ ip6 saddr dead:beef::/54 goto raw_PRE_public
+- ip saddr 1.2.3.0/24 goto raw_PRE_work
++ ip saddr 1.2.3.0/24 goto raw_PRE_trusted
++ iifname "dummy0" goto raw_PRE_trusted
+ iifname "dummy1" goto raw_PRE_public
+- iifname "dummy0" goto raw_PRE_work
+ goto raw_PRE_public
+ }
+ }
+@@ -107,9 +110,9 @@ NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl
+ table inet firewalld {
+ chain mangle_PREROUTING_ZONES {
+ ip6 saddr dead:beef::/54 goto mangle_PRE_public
+- ip saddr 1.2.3.0/24 goto mangle_PRE_work
++ ip saddr 1.2.3.0/24 goto mangle_PRE_trusted
++ iifname "dummy0" goto mangle_PRE_trusted
+ iifname "dummy1" goto mangle_PRE_public
+- iifname "dummy0" goto mangle_PRE_work
+ goto mangle_PRE_public
+ }
+ }
+@@ -124,9 +127,9 @@ NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl
+ NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl
+ table ip firewalld {
+ chain nat_PREROUTING_ZONES {
+- ip saddr 1.2.3.0/24 goto nat_PRE_work
++ ip saddr 1.2.3.0/24 goto nat_PRE_trusted
++ iifname "dummy0" goto nat_PRE_trusted
+ iifname "dummy1" goto nat_PRE_public
+- iifname "dummy0" goto nat_PRE_work
+ goto nat_PRE_public
+ }
+ }
+@@ -141,9 +144,9 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl
+ NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING_ZONES {
+- ip daddr 1.2.3.0/24 goto nat_POST_work
++ ip daddr 1.2.3.0/24 goto nat_POST_trusted
++ oifname "dummy0" goto nat_POST_trusted
+ oifname "dummy1" goto nat_POST_public
+- oifname "dummy0" goto nat_POST_work
+ goto nat_POST_public
+ }
+ }
+@@ -159,8 +162,8 @@ NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl
+ table ip6 firewalld {
+ chain nat_PREROUTING_ZONES {
+ ip6 saddr dead:beef::/54 goto nat_PRE_public
++ iifname "dummy0" goto nat_PRE_trusted
+ iifname "dummy1" goto nat_PRE_public
+- iifname "dummy0" goto nat_PRE_work
+ goto nat_PRE_public
+ }
+ }
+@@ -176,8 +179,8 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
+ table ip6 firewalld {
+ chain nat_POSTROUTING_ZONES {
+ ip6 daddr dead:beef::/54 goto nat_POST_public
++ oifname "dummy0" goto nat_POST_trusted
+ oifname "dummy1" goto nat_POST_public
+- oifname "dummy0" goto nat_POST_work
+ goto nat_POST_public
+ }
+ }
+@@ -193,9 +196,9 @@ IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
+ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
+ ])
+ IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
+- [[IN_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++ [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++ IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+- IN_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ ]])
+ IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
+@@ -208,15 +211,15 @@ IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
+ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
+ ])
+ IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
+- [[FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++ [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++ FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+- FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ ]])
+ IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
+- [[FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 [goto]
++ [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
++ FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+- FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ ]])
+ IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
+@@ -224,9 +227,9 @@ IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
+ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+ ])
+ IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
+- [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++ PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ ]])
+ IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
+@@ -234,9 +237,9 @@ IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
+ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+ ])
+ IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
+- [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++ PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ ]])
+ IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
+@@ -244,9 +247,9 @@ IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
+ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+ ])
+ IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
+- [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++ PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ ]])
+ IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
+@@ -254,9 +257,9 @@ IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
+ POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+ ])
+ IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
+- [[POST_work all -- 0.0.0.0/0 1.2.3.0/24 [goto]
++ [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
++ POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+- POST_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ ]])
+
+@@ -270,8 +273,8 @@ IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
+ ])
+ IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
+ [[IN_public all dead:beef::/54 ::/0 [goto]
++ IN_trusted all ::/0 ::/0 [goto]
+ IN_public all ::/0 ::/0 [goto]
+- IN_work all ::/0 ::/0 [goto]
+ IN_public all ::/0 ::/0 [goto]
+ ]])
+ IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
+@@ -285,14 +288,14 @@ IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
+ ])
+ IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
+ [[FWDI_public all dead:beef::/54 ::/0 [goto]
++ FWDI_trusted all ::/0 ::/0 [goto]
+ FWDI_public all ::/0 ::/0 [goto]
+- FWDI_work all ::/0 ::/0 [goto]
+ FWDI_public all ::/0 ::/0 [goto]
+ ]])
+ IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
+ [[FWDO_public all ::/0 dead:beef::/54 [goto]
++ FWDO_trusted all ::/0 ::/0 [goto]
+ FWDO_public all ::/0 ::/0 [goto]
+- FWDO_work all ::/0 ::/0 [goto]
+ FWDO_public all ::/0 ::/0 [goto]
+ ]])
+ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
+@@ -304,8 +307,8 @@ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
+ ])
+ IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
+ [[PRE_public all dead:beef::/54 ::/0 [goto]
++ PRE_trusted all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+- PRE_work all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+ ]])
+ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
+@@ -314,8 +317,8 @@ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
+ ])
+ IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
+ [[PRE_public all dead:beef::/54 ::/0 [goto]
++ PRE_trusted all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+- PRE_work all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+ ]])
+ IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
+@@ -324,8 +327,8 @@ IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
+ ])
+ IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
+ [[PRE_public all dead:beef::/54 ::/0 [goto]
++ PRE_trusted all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+- PRE_work all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+ ]])
+ IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
+@@ -334,10 +337,453 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
+ ])
+ IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
+ [[POST_public all ::/0 dead:beef::/54 [goto]
++ POST_trusted all ::/0 ::/0 [goto]
+ POST_public all ::/0 ::/0 [goto]
+- POST_work all ::/0 ::/0 [goto]
+ POST_public all ::/0 ::/0 [goto]
+ ]])
+ ])
+
+-FWD_END_TEST
++dnl ##########################################################################
++dnl ##########################################################################
++dnl We also support zone drifting in which source based zones fall through to
++dnl interface based zones (including default zone).
++dnl ##########################################################################
++dnl ##########################################################################
++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf])
++FWD_RELOAD
++
++NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl
++ table inet firewalld {
++ chain filter_INPUT {
++ ct state established,related accept
++ iifname "lo" accept
++ jump filter_INPUT_ZONES_SOURCE
++ jump filter_INPUT_ZONES
++ ct state invalid drop
++ reject with icmpx type admin-prohibited
++ }
++ }
++])
++NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl
++ table inet firewalld {
++ chain filter_INPUT_ZONES_SOURCE {
++ ip6 saddr dead:beef::/54 goto filter_IN_public
++ ip saddr 1.2.3.0/24 goto filter_IN_trusted
++ }
++ }
++])
++NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
++ table inet firewalld {
++ chain filter_INPUT_ZONES {
++ iifname "dummy0" goto filter_IN_trusted
++ iifname "dummy1" goto filter_IN_public
++ goto filter_IN_public
++ }
++ }
++])
++NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
++ table inet firewalld {
++ chain filter_FORWARD {
++ ct state established,related accept
++ iifname "lo" accept
++ jump filter_FORWARD_IN_ZONES_SOURCE
++ jump filter_FORWARD_IN_ZONES
++ jump filter_FORWARD_OUT_ZONES_SOURCE
++ jump filter_FORWARD_OUT_ZONES
++ ct state invalid drop
++ reject with icmpx type admin-prohibited
++ }
++ }
++])
++NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_SOURCE], 0, [dnl
++ table inet firewalld {
++ chain filter_FORWARD_IN_ZONES_SOURCE {
++ ip6 saddr dead:beef::/54 goto filter_FWDI_public
++ ip saddr 1.2.3.0/24 goto filter_FWDI_trusted
++ }
++ }
++])
++NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl
++ table inet firewalld {
++ chain filter_FORWARD_IN_ZONES {
++ iifname "dummy0" goto filter_FWDI_trusted
++ iifname "dummy1" goto filter_FWDI_public
++ goto filter_FWDI_public
++ }
++ }
++])
++NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_SOURCE], 0, [dnl
++ table inet firewalld {
++ chain filter_FORWARD_OUT_ZONES_SOURCE {
++ ip6 daddr dead:beef::/54 goto filter_FWDO_public
++ ip daddr 1.2.3.0/24 goto filter_FWDO_trusted
++ }
++ }
++])
++NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl
++ table inet firewalld {
++ chain filter_FORWARD_OUT_ZONES {
++ oifname "dummy0" goto filter_FWDO_trusted
++ oifname "dummy1" goto filter_FWDO_public
++ goto filter_FWDO_public
++ }
++ }
++])
++IF_HOST_SUPPORTS_NFT_FIB([
++ NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
++ table inet firewalld {
++ chain raw_PREROUTING {
++ icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
++ meta nfproto ipv6 fib saddr . iif oif missing drop
++ jump raw_PREROUTING_ZONES_SOURCE
++ jump raw_PREROUTING_ZONES
++ }
++ }
++ ])
++], [
++ NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
++ table inet firewalld {
++ chain raw_PREROUTING {
++ jump raw_PREROUTING_ZONES_SOURCE
++ jump raw_PREROUTING_ZONES
++ }
++ }
++ ])
++])
++NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_SOURCE], 0, [dnl
++ table inet firewalld {
++ chain raw_PREROUTING_ZONES_SOURCE {
++ ip6 saddr dead:beef::/54 goto raw_PRE_public
++ ip saddr 1.2.3.0/24 goto raw_PRE_trusted
++ }
++ }
++])
++NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
++ table inet firewalld {
++ chain raw_PREROUTING_ZONES {
++ iifname "dummy0" goto raw_PRE_trusted
++ iifname "dummy1" goto raw_PRE_public
++ goto raw_PRE_public
++ }
++ }
++])
++NFT_LIST_RULES([inet], [mangle_PREROUTING], 0, [dnl
++ table inet firewalld {
++ chain mangle_PREROUTING {
++ jump mangle_PREROUTING_ZONES_SOURCE
++ jump mangle_PREROUTING_ZONES
++ }
++ }
++])
++NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_SOURCE], 0, [dnl
++ table inet firewalld {
++ chain mangle_PREROUTING_ZONES_SOURCE {
++ ip6 saddr dead:beef::/54 goto mangle_PRE_public
++ ip saddr 1.2.3.0/24 goto mangle_PRE_trusted
++ }
++ }
++])
++NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl
++ table inet firewalld {
++ chain mangle_PREROUTING_ZONES {
++ iifname "dummy0" goto mangle_PRE_trusted
++ iifname "dummy1" goto mangle_PRE_public
++ goto mangle_PRE_public
++ }
++ }
++])
++NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl
++ table ip firewalld {
++ chain nat_PREROUTING {
++ jump nat_PREROUTING_ZONES_SOURCE
++ jump nat_PREROUTING_ZONES
++ }
++ }
++])
++NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl
++ table ip firewalld {
++ chain nat_PREROUTING_ZONES_SOURCE {
++ ip saddr 1.2.3.0/24 goto nat_PRE_trusted
++ }
++ }
++])
++NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl
++ table ip firewalld {
++ chain nat_PREROUTING_ZONES {
++ iifname "dummy0" goto nat_PRE_trusted
++ iifname "dummy1" goto nat_PRE_public
++ goto nat_PRE_public
++ }
++ }
++])
++NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl
++ table ip firewalld {
++ chain nat_POSTROUTING {
++ jump nat_POSTROUTING_ZONES_SOURCE
++ jump nat_POSTROUTING_ZONES
++ }
++ }
++])
++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
++ table ip firewalld {
++ chain nat_POSTROUTING_ZONES_SOURCE {
++ ip daddr 1.2.3.0/24 goto nat_POST_trusted
++ }
++ }
++])
++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
++ table ip firewalld {
++ chain nat_POSTROUTING_ZONES {
++ oifname "dummy0" goto nat_POST_trusted
++ oifname "dummy1" goto nat_POST_public
++ goto nat_POST_public
++ }
++ }
++])
++NFT_LIST_RULES([ip6], [nat_PREROUTING], 0, [dnl
++ table ip6 firewalld {
++ chain nat_PREROUTING {
++ jump nat_PREROUTING_ZONES_SOURCE
++ jump nat_PREROUTING_ZONES
++ }
++ }
++])
++NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl
++ table ip6 firewalld {
++ chain nat_PREROUTING_ZONES_SOURCE {
++ ip6 saddr dead:beef::/54 goto nat_PRE_public
++ }
++ }
++])
++NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl
++ table ip6 firewalld {
++ chain nat_PREROUTING_ZONES {
++ iifname "dummy0" goto nat_PRE_trusted
++ iifname "dummy1" goto nat_PRE_public
++ goto nat_PRE_public
++ }
++ }
++])
++NFT_LIST_RULES([ip6], [nat_POSTROUTING], 0, [dnl
++ table ip6 firewalld {
++ chain nat_POSTROUTING {
++ jump nat_POSTROUTING_ZONES_SOURCE
++ jump nat_POSTROUTING_ZONES
++ }
++ }
++])
++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
++ table ip6 firewalld {
++ chain nat_POSTROUTING_ZONES_SOURCE {
++ ip6 daddr dead:beef::/54 goto nat_POST_public
++ }
++ }
++])
++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
++ table ip6 firewalld {
++ chain nat_POSTROUTING_ZONES {
++ oifname "dummy0" goto nat_POST_trusted
++ oifname "dummy1" goto nat_POST_public
++ goto nat_POST_public
++ }
++ }
++])
++
++IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++ INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
++ INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
++ INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
++ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
++ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
++])
++IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
++ [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++]])
++IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
++ [[IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++]])
++IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++ FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
++ FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
++ FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
++ FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
++ FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
++ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
++ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
++])
++IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0,
++ [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++]])
++IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
++ [[FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++]])
++IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0,
++ [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
++]])
++IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
++ [[FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++]])
++IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
++ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
++ PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
++ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
++])
++IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0,
++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++]])
++IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
++ [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++]])
++IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
++ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
++ PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
++ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
++])
++IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0,
++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++]])
++IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
++ [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++]])
++IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
++ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
++ PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
++ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
++])
++IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0,
++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
++]])
++IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
++ [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++]])
++IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
++ POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
++ POSTROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
++ POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
++])
++IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
++ [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
++]])
++IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
++ [[POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++]])
++
++IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
++ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED
++ ACCEPT all ::/0 ::/0
++ INPUT_direct all ::/0 ::/0
++ INPUT_ZONES_SOURCE all ::/0 ::/0
++ INPUT_ZONES all ::/0 ::/0
++ DROP all ::/0 ::/0 ctstate INVALID
++ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
++])
++IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
++ [[IN_public all dead:beef::/54 ::/0 [goto]
++]])
++IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
++ [[IN_trusted all ::/0 ::/0 [goto]
++ IN_public all ::/0 ::/0 [goto]
++ IN_public all ::/0 ::/0 [goto]
++]])
++IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
++ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED
++ ACCEPT all ::/0 ::/0
++ FORWARD_direct all ::/0 ::/0
++ FORWARD_IN_ZONES_SOURCE all ::/0 ::/0
++ FORWARD_IN_ZONES all ::/0 ::/0
++ FORWARD_OUT_ZONES_SOURCE all ::/0 ::/0
++ FORWARD_OUT_ZONES all ::/0 ::/0
++ DROP all ::/0 ::/0 ctstate INVALID
++ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
++])
++IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0,
++ [[FWDI_public all dead:beef::/54 ::/0 [goto]
++]])
++IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
++ [[FWDI_trusted all ::/0 ::/0 [goto]
++ FWDI_public all ::/0 ::/0 [goto]
++ FWDI_public all ::/0 ::/0 [goto]
++]])
++IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0,
++ [[FWDO_public all ::/0 dead:beef::/54 [goto]
++]])
++IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
++ [[FWDO_trusted all ::/0 ::/0 [goto]
++ FWDO_public all ::/0 ::/0 [goto]
++ FWDO_public all ::/0 ::/0 [goto]
++]])
++IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
++ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
++ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
++ DROP all ::/0 ::/0 rpfilter invert
++ PREROUTING_direct all ::/0 ::/0
++ PREROUTING_ZONES_SOURCE all ::/0 ::/0
++ PREROUTING_ZONES all ::/0 ::/0
++])
++IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0,
++ [[PRE_public all dead:beef::/54 ::/0 [goto]
++]])
++IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
++ [[PRE_trusted all ::/0 ::/0 [goto]
++ PRE_public all ::/0 ::/0 [goto]
++ PRE_public all ::/0 ::/0 [goto]
++]])
++IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
++ PREROUTING_direct all ::/0 ::/0
++ PREROUTING_ZONES_SOURCE all ::/0 ::/0
++ PREROUTING_ZONES all ::/0 ::/0
++])
++IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0,
++ [[PRE_public all dead:beef::/54 ::/0 [goto]
++]])
++IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
++ [[PRE_trusted all ::/0 ::/0 [goto]
++ PRE_public all ::/0 ::/0 [goto]
++ PRE_public all ::/0 ::/0 [goto]
++]])
++IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
++ PREROUTING_direct all ::/0 ::/0
++ PREROUTING_ZONES_SOURCE all ::/0 ::/0
++ PREROUTING_ZONES all ::/0 ::/0
++])
++IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0,
++ [[PRE_public all dead:beef::/54 ::/0 [goto]
++]])
++IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
++ [[PRE_trusted all ::/0 ::/0 [goto]
++ PRE_public all ::/0 ::/0 [goto]
++ PRE_public all ::/0 ::/0 [goto]
++]])
++IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
++ POSTROUTING_direct all ::/0 ::/0
++ POSTROUTING_ZONES_SOURCE all ::/0 ::/0
++ POSTROUTING_ZONES all ::/0 ::/0
++])
++IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
++ [[POST_public all ::/0 dead:beef::/54 [goto]
++]])
++IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
++ [[POST_trusted all ::/0 ::/0 [goto]
++ POST_public all ::/0 ::/0 [goto]
++ POST_public all ::/0 ::/0 [goto]
++]])
++
++FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d'])
+diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
+index 276c1e433025..60cd18a6a6ea 100644
+--- a/src/tests/regression/rhbz1734765.at
++++ b/src/tests/regression/rhbz1734765.at
+@@ -1,9 +1,12 @@
+ FWD_START_TEST([zone sources ordered by name])
+-AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545)
++AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545 rhbz1772208 rhbz1796055)
+ dnl
+ dnl Users depend on firewalld ordering source-based zone dispatch by zone name.
+ dnl
+
++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
++FWD_RELOAD
++
+ FWD_CHECK([-q --permanent --new-zone=foobar_00])
+ FWD_CHECK([-q --permanent --new-zone=foobar_05])
+ FWD_CHECK([-q --permanent --new-zone=foobar_02])
+@@ -199,4 +202,178 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
+ ]])
+ ])
+
+-FWD_END_TEST
++dnl ##########################################################################
++dnl ##########################################################################
++dnl We also support zone drifting in which source based zones fall through to
++dnl interface based zones (including default zone). So make sure the zones are
++dnl sorted by name in this mode.
++dnl ##########################################################################
++dnl ##########################################################################
++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf])
++FWD_RELOAD
++
++FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"])
++FWD_CHECK([-q --zone=public --add-source="20.20.20.20"])
++IF_HOST_SUPPORTS_IPV6_RULES([
++FWD_CHECK([-q --zone=foobar_010 --add-source="1234:5678::10:10:10"])
++FWD_CHECK([-q --zone=public --add-source="1234:5678::20:20:20"])
++FWD_CHECK([-q --zone=foobar_012 --add-source ipset:ipsetv6])
++])
++FWD_CHECK([-q --zone=foobar_010 --add-interface=foobar2])
++
++NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl
++ table inet firewalld {
++ chain filter_INPUT_ZONES_SOURCE {
++ ip saddr 10.1.1.1 goto filter_IN_foobar_00
++ ip6 saddr 1234:5678::1:1:1 goto filter_IN_foobar_00
++ ip saddr 10.1.1.0/24 goto filter_IN_foobar_01
++ ip6 saddr 1234:5678::1:1:0/112 goto filter_IN_foobar_01
++ ip saddr 10.10.10.10 goto filter_IN_foobar_010
++ ip6 saddr 1234:5678::10:10:10 goto filter_IN_foobar_010
++ ip saddr @ipsetv4 goto filter_IN_foobar_011
++ ip6 saddr @ipsetv6 goto filter_IN_foobar_012
++ ip saddr 10.1.0.0/16 goto filter_IN_foobar_02
++ ip6 saddr 1234:5678::1:0:0/96 goto filter_IN_foobar_02
++ ip saddr 10.2.2.0/24 goto filter_IN_foobar_03
++ ip6 saddr 1234:5678::2:2:0/112 goto filter_IN_foobar_03
++ ip saddr 10.2.0.0/16 goto filter_IN_foobar_04
++ ip6 saddr 1234:5678::2:0:0/96 goto filter_IN_foobar_04
++ ip saddr 10.0.0.0/8 goto filter_IN_foobar_05
++ ip6 saddr 1234:5678::/80 goto filter_IN_foobar_05
++ ip saddr 20.20.20.20 goto filter_IN_public
++ ip6 saddr 1234:5678::20:20:20 goto filter_IN_public
++ }
++ }
++])
++NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
++ table inet firewalld {
++ chain filter_INPUT_ZONES {
++ iifname "foobar2" goto filter_IN_foobar_010
++ iifname "foobar1" goto filter_IN_trusted
++ iifname "foobar0" goto filter_IN_internal
++ goto filter_IN_public
++ }
++ }
++])
++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
++ table ip firewalld {
++ chain nat_POSTROUTING_ZONES_SOURCE {
++ ip daddr 10.1.1.1 goto nat_POST_foobar_00
++ ip daddr 10.1.1.0/24 goto nat_POST_foobar_01
++ ip daddr 10.10.10.10 goto nat_POST_foobar_010
++ ip daddr @ipsetv4 goto nat_POST_foobar_011
++ ip daddr 10.1.0.0/16 goto nat_POST_foobar_02
++ ip daddr 10.2.2.0/24 goto nat_POST_foobar_03
++ ip daddr 10.2.0.0/16 goto nat_POST_foobar_04
++ ip daddr 10.0.0.0/8 goto nat_POST_foobar_05
++ ip daddr 20.20.20.20 goto nat_POST_public
++ }
++ }
++])
++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
++ table ip firewalld {
++ chain nat_POSTROUTING_ZONES {
++ oifname "foobar2" goto nat_POST_foobar_010
++ oifname "foobar1" goto nat_POST_trusted
++ oifname "foobar0" goto nat_POST_internal
++ goto nat_POST_public
++ }
++ }
++])
++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
++ table ip6 firewalld {
++ chain nat_POSTROUTING_ZONES_SOURCE {
++ ip6 daddr 1234:5678::1:1:1 goto nat_POST_foobar_00
++ ip6 daddr 1234:5678::1:1:0/112 goto nat_POST_foobar_01
++ ip6 daddr 1234:5678::10:10:10 goto nat_POST_foobar_010
++ ip6 daddr @ipsetv6 goto nat_POST_foobar_012
++ ip6 daddr 1234:5678::1:0:0/96 goto nat_POST_foobar_02
++ ip6 daddr 1234:5678::2:2:0/112 goto nat_POST_foobar_03
++ ip6 daddr 1234:5678::2:0:0/96 goto nat_POST_foobar_04
++ ip6 daddr 1234:5678::/80 goto nat_POST_foobar_05
++ ip6 daddr 1234:5678::20:20:20 goto nat_POST_public
++ }
++ }
++])
++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
++ table ip6 firewalld {
++ chain nat_POSTROUTING_ZONES {
++ oifname "foobar2" goto nat_POST_foobar_010
++ oifname "foobar1" goto nat_POST_trusted
++ oifname "foobar0" goto nat_POST_internal
++ goto nat_POST_public
++ }
++ }
++])
++
++IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
++ [[IN_foobar_00 all -- 10.1.1.1 0.0.0.0/0 [goto]
++ IN_foobar_01 all -- 10.1.1.0/24 0.0.0.0/0 [goto]
++ IN_foobar_010 all -- 10.10.10.10 0.0.0.0/0 [goto]
++ IN_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 src
++ IN_foobar_02 all -- 10.1.0.0/16 0.0.0.0/0 [goto]
++ IN_foobar_03 all -- 10.2.2.0/24 0.0.0.0/0 [goto]
++ IN_foobar_04 all -- 10.2.0.0/16 0.0.0.0/0 [goto]
++ IN_foobar_05 all -- 10.0.0.0/8 0.0.0.0/0 [goto]
++ IN_public all -- 20.20.20.20 0.0.0.0/0 [goto]
++]])
++IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
++ [[IN_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ IN_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++]])
++IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
++ [[IN_foobar_00 all 1234:5678::1:1:1 ::/0 [goto]
++ IN_foobar_01 all 1234:5678::1:1:0/112 ::/0 [goto]
++ IN_foobar_010 all 1234:5678::10:10:10 ::/0 [goto]
++ IN_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 src
++ IN_foobar_02 all 1234:5678::1:0:0/96 ::/0 [goto]
++ IN_foobar_03 all 1234:5678::2:2:0/112 ::/0 [goto]
++ IN_foobar_04 all 1234:5678::2:0:0/96 ::/0 [goto]
++ IN_foobar_05 all 1234:5678::/80 ::/0 [goto]
++ IN_public all 1234:5678::20:20:20 ::/0 [goto]
++]])
++IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
++ [[IN_foobar_010 all ::/0 ::/0 [goto]
++ IN_trusted all ::/0 ::/0 [goto]
++ IN_internal all ::/0 ::/0 [goto]
++ IN_public all ::/0 ::/0 [goto]
++]])
++IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
++ [[POST_foobar_00 all -- 0.0.0.0/0 10.1.1.1 [goto]
++ POST_foobar_01 all -- 0.0.0.0/0 10.1.1.0/24 [goto]
++ POST_foobar_010 all -- 0.0.0.0/0 10.10.10.10 [goto]
++ POST_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 dst
++ POST_foobar_02 all -- 0.0.0.0/0 10.1.0.0/16 [goto]
++ POST_foobar_03 all -- 0.0.0.0/0 10.2.2.0/24 [goto]
++ POST_foobar_04 all -- 0.0.0.0/0 10.2.0.0/16 [goto]
++ POST_foobar_05 all -- 0.0.0.0/0 10.0.0.0/8 [goto]
++ POST_public all -- 0.0.0.0/0 20.20.20.20 [goto]
++]])
++IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
++ [[POST_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ POST_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
++]])
++IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
++ [[POST_foobar_00 all ::/0 1234:5678::1:1:1 [goto]
++ POST_foobar_01 all ::/0 1234:5678::1:1:0/112 [goto]
++ POST_foobar_010 all ::/0 1234:5678::10:10:10 [goto]
++ POST_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 dst
++ POST_foobar_02 all ::/0 1234:5678::1:0:0/96 [goto]
++ POST_foobar_03 all ::/0 1234:5678::2:2:0/112 [goto]
++ POST_foobar_04 all ::/0 1234:5678::2:0:0/96 [goto]
++ POST_foobar_05 all ::/0 1234:5678::/80 [goto]
++ POST_public all ::/0 1234:5678::20:20:20 [goto]
++]])
++IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
++ [[POST_foobar_010 all ::/0 ::/0 [goto]
++ POST_trusted all ::/0 ::/0 [goto]
++ POST_internal all ::/0 ::/0 [goto]
++ POST_public all ::/0 ::/0 [goto]
++]])
++
++FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d' dnl
++ -e '/WARNING: ZONE_ALREADY_SET:/d'])
+--
+2.23.0
+
diff --git a/SOURCES/0127-RHEL-only-default-to-AllowZoneDrifting-yes.patch b/SOURCES/0127-RHEL-only-default-to-AllowZoneDrifting-yes.patch
new file mode 100644
index 0000000..79e0220
--- /dev/null
+++ b/SOURCES/0127-RHEL-only-default-to-AllowZoneDrifting-yes.patch
@@ -0,0 +1,114 @@
+From 1a751e61031808fb05ec0d01ae6db03eea9ddee4 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 4 Feb 2020 09:12:17 -0500
+Subject: [PATCH 127/127] RHEL only: default to AllowZoneDrifting=yes
+
+---
+ config/firewalld.conf | 4 ++--
+ doc/xml/firewalld.conf.xml | 2 +-
+ doc/xml/firewalld.dbus.xml | 2 +-
+ src/firewall/config/__init__.py.in | 2 +-
+ src/tests/dbus/firewalld.conf.at | 4 ++--
+ src/tests/functions.at | 1 +
+ src/tests/regression/rhbz1514043.at | 5 +++++
+ 7 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/config/firewalld.conf b/config/firewalld.conf
+index 02be07b9b892..1854f3795e0a 100644
+--- a/config/firewalld.conf
++++ b/config/firewalld.conf
+@@ -65,5 +65,5 @@ AutomaticHelpers=system
+ # Note: If "yes" packets will only drift from source based zones to interface
+ # based zones (including the default zone). Packets never drift from interface
+ # based zones to other interfaces based zones (including the default zone).
+-# Possible values; "yes", "no". Defaults to "no".
+-AllowZoneDrifting=no
++# Possible values; "yes", "no". Defaults to "yes".
++AllowZoneDrifting=yes
+diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
+index 9d8017df3112..8dff74152cd1 100644
+--- a/doc/xml/firewalld.conf.xml
++++ b/doc/xml/firewalld.conf.xml
+@@ -158,7 +158,7 @@
+ to interface based zones (including the default zone). Packets
+ never drift from interface based zones to other interfaces
+ based zones (including the default zone).
+- Valid values; "yes", "no". Defaults to "no".
++ Valid values; "yes", "no". Defaults to "yes".
+ </para>
+ </listitem>
+ </varlistentry>
+diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
+index ea0be9cefd1c..afd2c7bba401 100644
+--- a/doc/xml/firewalld.dbus.xml
++++ b/doc/xml/firewalld.dbus.xml
+@@ -2571,7 +2571,7 @@
+ to interface based zones (including the default zone). Packets
+ never drift from interface based zones to other interfaces
+ based zones (including the default zone).
+- Valid values; "yes", "no". Defaults to "no".
++ Valid values; "yes", "no". Defaults to "yes".
+ </para></listitem>
+ </varlistentry>
+ <varlistentry id="FirewallD1.config.Properties.AutomaticHelpers">
+diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
+index 3926c8fdb3a3..561ea3f34325 100644
+--- a/src/firewall/config/__init__.py.in
++++ b/src/firewall/config/__init__.py.in
+@@ -128,4 +128,4 @@ FALLBACK_INDIVIDUAL_CALLS = False
+ FALLBACK_LOG_DENIED = "off"
+ FALLBACK_AUTOMATIC_HELPERS = "system"
+ FALLBACK_FIREWALL_BACKEND = "iptables"
+-FALLBACK_ALLOW_ZONE_DRIFTING = False
++FALLBACK_ALLOW_ZONE_DRIFTING = True
+diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
+index 0884e21b6368..8ed00f84e158 100644
+--- a/src/tests/dbus/firewalld.conf.at
++++ b/src/tests/dbus/firewalld.conf.at
+@@ -3,7 +3,7 @@ FWD_START_TEST([firewalld.conf])
+ dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
+ IF_HOST_SUPPORTS_NFT_FIB([
+ DBUS_GETALL([config], [config], 0, [dnl
+-string "AllowZoneDrifting" : variant string "no"
++string "AllowZoneDrifting" : variant string "yes"
+ string "AutomaticHelpers" : variant string "system"
+ string "CleanupOnExit" : variant string "no"
+ string "DefaultZone" : variant string "public"
+@@ -14,7 +14,7 @@ string "LogDenied" : variant string "off"
+ string "MinimalMark" : variant int32 100
+ ])], [
+ DBUS_GETALL([config], [config], 0, [dnl
+-string "AllowZoneDrifting" : variant string "no"
++string "AllowZoneDrifting" : variant string "yes"
+ string "AutomaticHelpers" : variant string "system"
+ string "CleanupOnExit" : variant string "no"
+ string "DefaultZone" : variant string "public"
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index d663716cb138..b9e44cea8d49 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -144,6 +144,7 @@ m4_define([FWD_END_TEST], [
+ sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
+ ])
+ sed -i "/modprobe: ERROR:/d" ./firewalld.log
++ sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log
+ if test x"$1" != x"ignore"; then
+ if test -n "$1"; then
+ sed -i $1 ./firewalld.log
+diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
+index ff2ede2ece71..7f061d86c2f1 100644
+--- a/src/tests/regression/rhbz1514043.at
++++ b/src/tests/regression/rhbz1514043.at
+@@ -1,4 +1,9 @@
+ FWD_START_TEST([--set-log-denied does not zero config])
++
++dnl Expected test results assume this is set to "no"
++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
++FWD_RELOAD
++
+ FWD_CHECK([-q --set-log-denied=all])
+ FWD_CHECK([-q --permanent --zone=public --add-service=samba])
+ FWD_RELOAD
+--
+2.23.0
+
diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec
index c66783f..81d4eb4 100644
--- a/SPECS/firewalld.spec
+++ b/SPECS/firewalld.spec
@@ -8,7 +8,7 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld
Version: 0.6.3
-Release: 8%{?dist}
+Release: 8%{?dist}.1
URL: http://www.firewalld.org
License: GPLv2+
Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
@@ -133,6 +133,11 @@ Patch119: 0119-fix-tests-convert-probe-of-nft-numeric-args-to-runti.patch
Patch120: 0120-fix-tests-convert-ip6tables-checks-to-runtime.patch
Patch121: 0121-fix-tests-convert-host-ipv6-checks-to-runtime.patch
Patch122: 0122-chore-tests-rename-IF_IPV6_SUPPORTED-to-IF_HOST_SUPP.patch
+Patch123: 0123-feat-AllowZoneDrifting-config-option.patch
+Patch124: 0124-feat-nftables-support-AllowZoneDrifting-yes.patch
+Patch125: 0125-feat-ipXtables-support-AllowZoneDrifting-yes.patch
+Patch126: 0126-test-verify-AllowZoneDrifting-yes.patch
+Patch127: 0127-RHEL-only-default-to-AllowZoneDrifting-yes.patch
BuildArch: noarch
BuildRequires: desktop-file-utils
@@ -433,6 +438,9 @@ fi
%{_mandir}/man1/firewall-config*.1*
%changelog
+* Thu Feb 13 2020 Eric Garver <egarver@redhat.com> - 0.6.3-8.el7_8.1
+- fix: firewalld not falling back to interface zone
+
* Fri Nov 08 2019 Eric Garver <egarver@redhat.com> - 0.6.3-8
- fix: failure to load modules no longer fatal