From e5bc451f0f0240c7fe460196e6d07163366318c2 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Sun, 19 Jan 2020 16:49:14 -0500 Subject: [PATCH 142/146] test: verify AllowZoneDrifting=yes Verify the zone dispatch layout. (cherry picked from commit bca4e6af91fc4c6a55f7c2bce9e4fe7bcee526a1) (cherry picked from commit cd257ae4604b1666136ffb1e12924a5c1f74095f) --- src/tests/regression/gh258.at | 532 +++++++++++++++++++++++++--- src/tests/regression/rhbz1734765.at | 181 +++++++++- 2 files changed, 668 insertions(+), 45 deletions(-) diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at index 5671c37ba432..5c5c8db0126f 100644 --- a/src/tests/regression/gh258.at +++ b/src/tests/regression/gh258.at @@ -1,12 +1,15 @@ FWD_START_TEST([zone dispatch layout]) -AT_KEYWORDS(zone gh258 gh441 rhbz1713823) +AT_KEYWORDS(zone gh258 gh441 rhbz1713823 rhbz1772208 rhbz1796055) -FWD_CHECK([--zone=work --add-source="1.2.3.0/24"], 0, ignore) +FWD_CHECK([--permanent --zone=trusted --add-source="1.2.3.0/24"], 0, ignore) IF_HOST_SUPPORTS_IPV6_RULES([ -FWD_CHECK([--zone=public --add-source="dead:beef::/54"], 0, ignore) +FWD_CHECK([--permanent --zone=public --add-source="dead:beef::/54"], 0, ignore) ]) -FWD_CHECK([--zone=work --add-interface=dummy0], 0, ignore) -FWD_CHECK([--zone=public --add-interface=dummy1], 0, ignore) +FWD_CHECK([--permanent --zone=trusted --add-interface=dummy0], 0, ignore) +FWD_CHECK([--permanent --zone=public --add-interface=dummy1], 0, ignore) + +AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) +FWD_RELOAD dnl verify layout of zone dispatch m4_if(nftables, FIREWALL_BACKEND, [ @@ -25,9 +28,9 @@ NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl table inet firewalld { chain filter_INPUT_ZONES { ip6 saddr dead:beef::/54 goto filter_IN_public - ip saddr 1.2.3.0/24 goto filter_IN_work + ip saddr 1.2.3.0/24 goto filter_IN_trusted + iifname "dummy0" goto filter_IN_trusted iifname "dummy1" goto filter_IN_public - iifname "dummy0" goto filter_IN_work goto filter_IN_public } } @@ -48,9 +51,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl table inet firewalld { chain filter_FORWARD_IN_ZONES { ip6 saddr dead:beef::/54 goto filter_FWDI_public - ip saddr 1.2.3.0/24 goto filter_FWDI_work + ip saddr 1.2.3.0/24 goto filter_FWDI_trusted + iifname "dummy0" goto filter_FWDI_trusted iifname "dummy1" goto filter_FWDI_public - iifname "dummy0" goto filter_FWDI_work goto filter_FWDI_public } } @@ -59,9 +62,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl table inet firewalld { chain filter_FORWARD_OUT_ZONES { ip6 daddr dead:beef::/54 goto filter_FWDO_public - ip daddr 1.2.3.0/24 goto filter_FWDO_work + ip daddr 1.2.3.0/24 goto filter_FWDO_trusted + oifname "dummy0" goto filter_FWDO_trusted oifname "dummy1" goto filter_FWDO_public - oifname "dummy0" goto filter_FWDO_work goto filter_FWDO_public } } @@ -89,9 +92,9 @@ NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl table inet firewalld { chain raw_PREROUTING_ZONES { ip6 saddr dead:beef::/54 goto raw_PRE_public - ip saddr 1.2.3.0/24 goto raw_PRE_work + ip saddr 1.2.3.0/24 goto raw_PRE_trusted + iifname "dummy0" goto raw_PRE_trusted iifname "dummy1" goto raw_PRE_public - iifname "dummy0" goto raw_PRE_work goto raw_PRE_public } } @@ -107,9 +110,9 @@ NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl table inet firewalld { chain mangle_PREROUTING_ZONES { ip6 saddr dead:beef::/54 goto mangle_PRE_public - ip saddr 1.2.3.0/24 goto mangle_PRE_work + ip saddr 1.2.3.0/24 goto mangle_PRE_trusted + iifname "dummy0" goto mangle_PRE_trusted iifname "dummy1" goto mangle_PRE_public - iifname "dummy0" goto mangle_PRE_work goto mangle_PRE_public } } @@ -124,9 +127,9 @@ NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl table ip firewalld { chain nat_PREROUTING_ZONES { - ip saddr 1.2.3.0/24 goto nat_PRE_work + ip saddr 1.2.3.0/24 goto nat_PRE_trusted + iifname "dummy0" goto nat_PRE_trusted iifname "dummy1" goto nat_PRE_public - iifname "dummy0" goto nat_PRE_work goto nat_PRE_public } } @@ -141,9 +144,9 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl table ip firewalld { chain nat_POSTROUTING_ZONES { - ip daddr 1.2.3.0/24 goto nat_POST_work + ip daddr 1.2.3.0/24 goto nat_POST_trusted + oifname "dummy0" goto nat_POST_trusted oifname "dummy1" goto nat_POST_public - oifname "dummy0" goto nat_POST_work goto nat_POST_public } } @@ -159,8 +162,8 @@ NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl table ip6 firewalld { chain nat_PREROUTING_ZONES { ip6 saddr dead:beef::/54 goto nat_PRE_public + iifname "dummy0" goto nat_PRE_trusted iifname "dummy1" goto nat_PRE_public - iifname "dummy0" goto nat_PRE_work goto nat_PRE_public } } @@ -176,8 +179,8 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl table ip6 firewalld { chain nat_POSTROUTING_ZONES { ip6 daddr dead:beef::/54 goto nat_POST_public + oifname "dummy0" goto nat_POST_trusted oifname "dummy1" goto nat_POST_public - oifname "dummy0" goto nat_POST_work goto nat_POST_public } } @@ -193,9 +196,9 @@ IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ]) IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, - [[IN_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] + [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] + IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] - IN_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ]]) IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl @@ -208,15 +211,15 @@ IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ]) IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, - [[FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] + [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] + FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] - FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ]]) IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, - [[FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 [goto] + [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto] + FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] - FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ]]) IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl @@ -224,9 +227,9 @@ IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ]) IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, - [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] + [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] + PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] - PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ]]) IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl @@ -234,9 +237,9 @@ IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ]) IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, - [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] + [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] + PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] - PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ]]) IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl @@ -244,9 +247,9 @@ IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ]) IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, - [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] + [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] + PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] - PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ]]) IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl @@ -254,9 +257,9 @@ IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ]) IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, - [[POST_work all -- 0.0.0.0/0 1.2.3.0/24 [goto] + [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto] + POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] - POST_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ]]) @@ -270,8 +273,8 @@ IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl ]) IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [[IN_public all dead:beef::/54 ::/0 [goto] + IN_trusted all ::/0 ::/0 [goto] IN_public all ::/0 ::/0 [goto] - IN_work all ::/0 ::/0 [goto] IN_public all ::/0 ::/0 [goto] ]]) IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl @@ -285,14 +288,14 @@ IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl ]) IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [[FWDI_public all dead:beef::/54 ::/0 [goto] + FWDI_trusted all ::/0 ::/0 [goto] FWDI_public all ::/0 ::/0 [goto] - FWDI_work all ::/0 ::/0 [goto] FWDI_public all ::/0 ::/0 [goto] ]]) IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [[FWDO_public all ::/0 dead:beef::/54 [goto] + FWDO_trusted all ::/0 ::/0 [goto] FWDO_public all ::/0 ::/0 [goto] - FWDO_work all ::/0 ::/0 [goto] FWDO_public all ::/0 ::/0 [goto] ]]) IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl @@ -304,8 +307,8 @@ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl ]) IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [[PRE_public all dead:beef::/54 ::/0 [goto] + PRE_trusted all ::/0 ::/0 [goto] PRE_public all ::/0 ::/0 [goto] - PRE_work all ::/0 ::/0 [goto] PRE_public all ::/0 ::/0 [goto] ]]) IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl @@ -314,8 +317,8 @@ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl ]) IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [[PRE_public all dead:beef::/54 ::/0 [goto] + PRE_trusted all ::/0 ::/0 [goto] PRE_public all ::/0 ::/0 [goto] - PRE_work all ::/0 ::/0 [goto] PRE_public all ::/0 ::/0 [goto] ]]) IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl @@ -324,8 +327,8 @@ IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl ]) IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [[PRE_public all dead:beef::/54 ::/0 [goto] + PRE_trusted all ::/0 ::/0 [goto] PRE_public all ::/0 ::/0 [goto] - PRE_work all ::/0 ::/0 [goto] PRE_public all ::/0 ::/0 [goto] ]]) IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl @@ -334,10 +337,453 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl ]) IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [[POST_public all ::/0 dead:beef::/54 [goto] + POST_trusted all ::/0 ::/0 [goto] POST_public all ::/0 ::/0 [goto] - POST_work all ::/0 ::/0 [goto] POST_public all ::/0 ::/0 [goto] ]]) ]) -FWD_END_TEST +dnl ########################################################################## +dnl ########################################################################## +dnl We also support zone drifting in which source based zones fall through to +dnl interface based zones (including default zone). +dnl ########################################################################## +dnl ########################################################################## +AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf]) +FWD_RELOAD + +NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl + table inet firewalld { + chain filter_INPUT { + ct state established,related accept + iifname "lo" accept + jump filter_INPUT_ZONES_SOURCE + jump filter_INPUT_ZONES + ct state invalid drop + reject with icmpx type admin-prohibited + } + } +]) +NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl + table inet firewalld { + chain filter_INPUT_ZONES_SOURCE { + ip6 saddr dead:beef::/54 goto filter_IN_public + ip saddr 1.2.3.0/24 goto filter_IN_trusted + } + } +]) +NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl + table inet firewalld { + chain filter_INPUT_ZONES { + iifname "dummy0" goto filter_IN_trusted + iifname "dummy1" goto filter_IN_public + goto filter_IN_public + } + } +]) +NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl + table inet firewalld { + chain filter_FORWARD { + ct state established,related accept + iifname "lo" accept + jump filter_FORWARD_IN_ZONES_SOURCE + jump filter_FORWARD_IN_ZONES + jump filter_FORWARD_OUT_ZONES_SOURCE + jump filter_FORWARD_OUT_ZONES + ct state invalid drop + reject with icmpx type admin-prohibited + } + } +]) +NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_SOURCE], 0, [dnl + table inet firewalld { + chain filter_FORWARD_IN_ZONES_SOURCE { + ip6 saddr dead:beef::/54 goto filter_FWDI_public + ip saddr 1.2.3.0/24 goto filter_FWDI_trusted + } + } +]) +NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl + table inet firewalld { + chain filter_FORWARD_IN_ZONES { + iifname "dummy0" goto filter_FWDI_trusted + iifname "dummy1" goto filter_FWDI_public + goto filter_FWDI_public + } + } +]) +NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_SOURCE], 0, [dnl + table inet firewalld { + chain filter_FORWARD_OUT_ZONES_SOURCE { + ip6 daddr dead:beef::/54 goto filter_FWDO_public + ip daddr 1.2.3.0/24 goto filter_FWDO_trusted + } + } +]) +NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl + table inet firewalld { + chain filter_FORWARD_OUT_ZONES { + oifname "dummy0" goto filter_FWDO_trusted + oifname "dummy1" goto filter_FWDO_public + goto filter_FWDO_public + } + } +]) +IF_HOST_SUPPORTS_NFT_FIB([ + NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl + table inet firewalld { + chain raw_PREROUTING { + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing drop + jump raw_PREROUTING_ZONES_SOURCE + jump raw_PREROUTING_ZONES + } + } + ]) +], [ + NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl + table inet firewalld { + chain raw_PREROUTING { + jump raw_PREROUTING_ZONES_SOURCE + jump raw_PREROUTING_ZONES + } + } + ]) +]) +NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_SOURCE], 0, [dnl + table inet firewalld { + chain raw_PREROUTING_ZONES_SOURCE { + ip6 saddr dead:beef::/54 goto raw_PRE_public + ip saddr 1.2.3.0/24 goto raw_PRE_trusted + } + } +]) +NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl + table inet firewalld { + chain raw_PREROUTING_ZONES { + iifname "dummy0" goto raw_PRE_trusted + iifname "dummy1" goto raw_PRE_public + goto raw_PRE_public + } + } +]) +NFT_LIST_RULES([inet], [mangle_PREROUTING], 0, [dnl + table inet firewalld { + chain mangle_PREROUTING { + jump mangle_PREROUTING_ZONES_SOURCE + jump mangle_PREROUTING_ZONES + } + } +]) +NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_SOURCE], 0, [dnl + table inet firewalld { + chain mangle_PREROUTING_ZONES_SOURCE { + ip6 saddr dead:beef::/54 goto mangle_PRE_public + ip saddr 1.2.3.0/24 goto mangle_PRE_trusted + } + } +]) +NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl + table inet firewalld { + chain mangle_PREROUTING_ZONES { + iifname "dummy0" goto mangle_PRE_trusted + iifname "dummy1" goto mangle_PRE_public + goto mangle_PRE_public + } + } +]) +NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl + table ip firewalld { + chain nat_PREROUTING { + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + } +]) +NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl + table ip firewalld { + chain nat_PREROUTING_ZONES_SOURCE { + ip saddr 1.2.3.0/24 goto nat_PRE_trusted + } + } +]) +NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl + table ip firewalld { + chain nat_PREROUTING_ZONES { + iifname "dummy0" goto nat_PRE_trusted + iifname "dummy1" goto nat_PRE_public + goto nat_PRE_public + } + } +]) +NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl + table ip firewalld { + chain nat_POSTROUTING { + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + } +]) +NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl + table ip firewalld { + chain nat_POSTROUTING_ZONES_SOURCE { + ip daddr 1.2.3.0/24 goto nat_POST_trusted + } + } +]) +NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl + table ip firewalld { + chain nat_POSTROUTING_ZONES { + oifname "dummy0" goto nat_POST_trusted + oifname "dummy1" goto nat_POST_public + goto nat_POST_public + } + } +]) +NFT_LIST_RULES([ip6], [nat_PREROUTING], 0, [dnl + table ip6 firewalld { + chain nat_PREROUTING { + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + } +]) +NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl + table ip6 firewalld { + chain nat_PREROUTING_ZONES_SOURCE { + ip6 saddr dead:beef::/54 goto nat_PRE_public + } + } +]) +NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl + table ip6 firewalld { + chain nat_PREROUTING_ZONES { + iifname "dummy0" goto nat_PRE_trusted + iifname "dummy1" goto nat_PRE_public + goto nat_PRE_public + } + } +]) +NFT_LIST_RULES([ip6], [nat_POSTROUTING], 0, [dnl + table ip6 firewalld { + chain nat_POSTROUTING { + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + } +]) +NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl + table ip6 firewalld { + chain nat_POSTROUTING_ZONES_SOURCE { + ip6 daddr dead:beef::/54 goto nat_POST_public + } + } +]) +NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl + table ip6 firewalld { + chain nat_POSTROUTING_ZONES { + oifname "dummy0" goto nat_POST_trusted + oifname "dummy1" goto nat_POST_public + goto nat_POST_public + } + } +]) + +IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl + ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED + ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 + INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0 + INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 + INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID + REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited +]) +IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0, + [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] +]]) +IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, + [[IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) +IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl + ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED + ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 + FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0 + FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 + FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 + FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID + REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited +]) +IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0, + [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] +]]) +IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, + [[FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) +IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0, + [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto] +]]) +IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, + [[FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) +IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl + PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 + PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 + PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 +]) +IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0, + [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] +]]) +IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, + [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) +IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl + PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 + PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 + PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 +]) +IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0, + [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] +]]) +IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, + [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) +IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl + PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 + PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 + PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 +]) +IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0, + [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] +]]) +IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, + [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) +IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl + POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 + POSTROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 + POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 +]) +IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0, + [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto] +]]) +IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, + [[POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) + +IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl + ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED + ACCEPT all ::/0 ::/0 + INPUT_direct all ::/0 ::/0 + INPUT_ZONES_SOURCE all ::/0 ::/0 + INPUT_ZONES all ::/0 ::/0 + DROP all ::/0 ::/0 ctstate INVALID + REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited +]) +IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0, + [[IN_public all dead:beef::/54 ::/0 [goto] +]]) +IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, + [[IN_trusted all ::/0 ::/0 [goto] + IN_public all ::/0 ::/0 [goto] + IN_public all ::/0 ::/0 [goto] +]]) +IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl + ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED + ACCEPT all ::/0 ::/0 + FORWARD_direct all ::/0 ::/0 + FORWARD_IN_ZONES_SOURCE all ::/0 ::/0 + FORWARD_IN_ZONES all ::/0 ::/0 + FORWARD_OUT_ZONES_SOURCE all ::/0 ::/0 + FORWARD_OUT_ZONES all ::/0 ::/0 + DROP all ::/0 ::/0 ctstate INVALID + REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited +]) +IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0, + [[FWDI_public all dead:beef::/54 ::/0 [goto] +]]) +IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, + [[FWDI_trusted all ::/0 ::/0 [goto] + FWDI_public all ::/0 ::/0 [goto] + FWDI_public all ::/0 ::/0 [goto] +]]) +IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0, + [[FWDO_public all ::/0 dead:beef::/54 [goto] +]]) +IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, + [[FWDO_trusted all ::/0 ::/0 [goto] + FWDO_public all ::/0 ::/0 [goto] + FWDO_public all ::/0 ::/0 [goto] +]]) +IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl + ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134 + ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135 + DROP all ::/0 ::/0 rpfilter invert + PREROUTING_direct all ::/0 ::/0 + PREROUTING_ZONES_SOURCE all ::/0 ::/0 + PREROUTING_ZONES all ::/0 ::/0 +]) +IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0, + [[PRE_public all dead:beef::/54 ::/0 [goto] +]]) +IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, + [[PRE_trusted all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] +]]) +IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl + PREROUTING_direct all ::/0 ::/0 + PREROUTING_ZONES_SOURCE all ::/0 ::/0 + PREROUTING_ZONES all ::/0 ::/0 +]) +IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0, + [[PRE_public all dead:beef::/54 ::/0 [goto] +]]) +IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, + [[PRE_trusted all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] +]]) +IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl + PREROUTING_direct all ::/0 ::/0 + PREROUTING_ZONES_SOURCE all ::/0 ::/0 + PREROUTING_ZONES all ::/0 ::/0 +]) +IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0, + [[PRE_public all dead:beef::/54 ::/0 [goto] +]]) +IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, + [[PRE_trusted all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] +]]) +IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl + POSTROUTING_direct all ::/0 ::/0 + POSTROUTING_ZONES_SOURCE all ::/0 ::/0 + POSTROUTING_ZONES all ::/0 ::/0 +]) +IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0, + [[POST_public all ::/0 dead:beef::/54 [goto] +]]) +IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, + [[POST_trusted all ::/0 ::/0 [goto] + POST_public all ::/0 ::/0 [goto] + POST_public all ::/0 ::/0 [goto] +]]) + +FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d']) diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at index 276c1e433025..60cd18a6a6ea 100644 --- a/src/tests/regression/rhbz1734765.at +++ b/src/tests/regression/rhbz1734765.at @@ -1,9 +1,12 @@ FWD_START_TEST([zone sources ordered by name]) -AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545) +AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545 rhbz1772208 rhbz1796055) dnl dnl Users depend on firewalld ordering source-based zone dispatch by zone name. dnl +AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) +FWD_RELOAD + FWD_CHECK([-q --permanent --new-zone=foobar_00]) FWD_CHECK([-q --permanent --new-zone=foobar_05]) FWD_CHECK([-q --permanent --new-zone=foobar_02]) @@ -199,4 +202,178 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, ]]) ]) -FWD_END_TEST +dnl ########################################################################## +dnl ########################################################################## +dnl We also support zone drifting in which source based zones fall through to +dnl interface based zones (including default zone). So make sure the zones are +dnl sorted by name in this mode. +dnl ########################################################################## +dnl ########################################################################## +AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf]) +FWD_RELOAD + +FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"]) +FWD_CHECK([-q --zone=public --add-source="20.20.20.20"]) +IF_HOST_SUPPORTS_IPV6_RULES([ +FWD_CHECK([-q --zone=foobar_010 --add-source="1234:5678::10:10:10"]) +FWD_CHECK([-q --zone=public --add-source="1234:5678::20:20:20"]) +FWD_CHECK([-q --zone=foobar_012 --add-source ipset:ipsetv6]) +]) +FWD_CHECK([-q --zone=foobar_010 --add-interface=foobar2]) + +NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl + table inet firewalld { + chain filter_INPUT_ZONES_SOURCE { + ip saddr 10.1.1.1 goto filter_IN_foobar_00 + ip6 saddr 1234:5678::1:1:1 goto filter_IN_foobar_00 + ip saddr 10.1.1.0/24 goto filter_IN_foobar_01 + ip6 saddr 1234:5678::1:1:0/112 goto filter_IN_foobar_01 + ip saddr 10.10.10.10 goto filter_IN_foobar_010 + ip6 saddr 1234:5678::10:10:10 goto filter_IN_foobar_010 + ip saddr @ipsetv4 goto filter_IN_foobar_011 + ip6 saddr @ipsetv6 goto filter_IN_foobar_012 + ip saddr 10.1.0.0/16 goto filter_IN_foobar_02 + ip6 saddr 1234:5678::1:0:0/96 goto filter_IN_foobar_02 + ip saddr 10.2.2.0/24 goto filter_IN_foobar_03 + ip6 saddr 1234:5678::2:2:0/112 goto filter_IN_foobar_03 + ip saddr 10.2.0.0/16 goto filter_IN_foobar_04 + ip6 saddr 1234:5678::2:0:0/96 goto filter_IN_foobar_04 + ip saddr 10.0.0.0/8 goto filter_IN_foobar_05 + ip6 saddr 1234:5678::/80 goto filter_IN_foobar_05 + ip saddr 20.20.20.20 goto filter_IN_public + ip6 saddr 1234:5678::20:20:20 goto filter_IN_public + } + } +]) +NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl + table inet firewalld { + chain filter_INPUT_ZONES { + iifname "foobar2" goto filter_IN_foobar_010 + iifname "foobar1" goto filter_IN_trusted + iifname "foobar0" goto filter_IN_internal + goto filter_IN_public + } + } +]) +NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl + table ip firewalld { + chain nat_POSTROUTING_ZONES_SOURCE { + ip daddr 10.1.1.1 goto nat_POST_foobar_00 + ip daddr 10.1.1.0/24 goto nat_POST_foobar_01 + ip daddr 10.10.10.10 goto nat_POST_foobar_010 + ip daddr @ipsetv4 goto nat_POST_foobar_011 + ip daddr 10.1.0.0/16 goto nat_POST_foobar_02 + ip daddr 10.2.2.0/24 goto nat_POST_foobar_03 + ip daddr 10.2.0.0/16 goto nat_POST_foobar_04 + ip daddr 10.0.0.0/8 goto nat_POST_foobar_05 + ip daddr 20.20.20.20 goto nat_POST_public + } + } +]) +NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl + table ip firewalld { + chain nat_POSTROUTING_ZONES { + oifname "foobar2" goto nat_POST_foobar_010 + oifname "foobar1" goto nat_POST_trusted + oifname "foobar0" goto nat_POST_internal + goto nat_POST_public + } + } +]) +NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl + table ip6 firewalld { + chain nat_POSTROUTING_ZONES_SOURCE { + ip6 daddr 1234:5678::1:1:1 goto nat_POST_foobar_00 + ip6 daddr 1234:5678::1:1:0/112 goto nat_POST_foobar_01 + ip6 daddr 1234:5678::10:10:10 goto nat_POST_foobar_010 + ip6 daddr @ipsetv6 goto nat_POST_foobar_012 + ip6 daddr 1234:5678::1:0:0/96 goto nat_POST_foobar_02 + ip6 daddr 1234:5678::2:2:0/112 goto nat_POST_foobar_03 + ip6 daddr 1234:5678::2:0:0/96 goto nat_POST_foobar_04 + ip6 daddr 1234:5678::/80 goto nat_POST_foobar_05 + ip6 daddr 1234:5678::20:20:20 goto nat_POST_public + } + } +]) +NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl + table ip6 firewalld { + chain nat_POSTROUTING_ZONES { + oifname "foobar2" goto nat_POST_foobar_010 + oifname "foobar1" goto nat_POST_trusted + oifname "foobar0" goto nat_POST_internal + goto nat_POST_public + } + } +]) + +IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0, + [[IN_foobar_00 all -- 10.1.1.1 0.0.0.0/0 [goto] + IN_foobar_01 all -- 10.1.1.0/24 0.0.0.0/0 [goto] + IN_foobar_010 all -- 10.10.10.10 0.0.0.0/0 [goto] + IN_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 src + IN_foobar_02 all -- 10.1.0.0/16 0.0.0.0/0 [goto] + IN_foobar_03 all -- 10.2.2.0/24 0.0.0.0/0 [goto] + IN_foobar_04 all -- 10.2.0.0/16 0.0.0.0/0 [goto] + IN_foobar_05 all -- 10.0.0.0/8 0.0.0.0/0 [goto] + IN_public all -- 20.20.20.20 0.0.0.0/0 [goto] +]]) +IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, + [[IN_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto] + IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + IN_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto] + IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) +IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0, + [[IN_foobar_00 all 1234:5678::1:1:1 ::/0 [goto] + IN_foobar_01 all 1234:5678::1:1:0/112 ::/0 [goto] + IN_foobar_010 all 1234:5678::10:10:10 ::/0 [goto] + IN_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 src + IN_foobar_02 all 1234:5678::1:0:0/96 ::/0 [goto] + IN_foobar_03 all 1234:5678::2:2:0/112 ::/0 [goto] + IN_foobar_04 all 1234:5678::2:0:0/96 ::/0 [goto] + IN_foobar_05 all 1234:5678::/80 ::/0 [goto] + IN_public all 1234:5678::20:20:20 ::/0 [goto] +]]) +IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, + [[IN_foobar_010 all ::/0 ::/0 [goto] + IN_trusted all ::/0 ::/0 [goto] + IN_internal all ::/0 ::/0 [goto] + IN_public all ::/0 ::/0 [goto] +]]) +IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0, + [[POST_foobar_00 all -- 0.0.0.0/0 10.1.1.1 [goto] + POST_foobar_01 all -- 0.0.0.0/0 10.1.1.0/24 [goto] + POST_foobar_010 all -- 0.0.0.0/0 10.10.10.10 [goto] + POST_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 dst + POST_foobar_02 all -- 0.0.0.0/0 10.1.0.0/16 [goto] + POST_foobar_03 all -- 0.0.0.0/0 10.2.2.0/24 [goto] + POST_foobar_04 all -- 0.0.0.0/0 10.2.0.0/16 [goto] + POST_foobar_05 all -- 0.0.0.0/0 10.0.0.0/8 [goto] + POST_public all -- 0.0.0.0/0 20.20.20.20 [goto] +]]) +IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, + [[POST_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto] + POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + POST_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto] + POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) +IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0, + [[POST_foobar_00 all ::/0 1234:5678::1:1:1 [goto] + POST_foobar_01 all ::/0 1234:5678::1:1:0/112 [goto] + POST_foobar_010 all ::/0 1234:5678::10:10:10 [goto] + POST_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 dst + POST_foobar_02 all ::/0 1234:5678::1:0:0/96 [goto] + POST_foobar_03 all ::/0 1234:5678::2:2:0/112 [goto] + POST_foobar_04 all ::/0 1234:5678::2:0:0/96 [goto] + POST_foobar_05 all ::/0 1234:5678::/80 [goto] + POST_public all ::/0 1234:5678::20:20:20 [goto] +]]) +IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, + [[POST_foobar_010 all ::/0 ::/0 [goto] + POST_trusted all ::/0 ::/0 [goto] + POST_internal all ::/0 ::/0 [goto] + POST_public all ::/0 ::/0 [goto] +]]) + +FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d' dnl + -e '/WARNING: ZONE_ALREADY_SET:/d']) -- 2.23.0