From f317fbc7e7ad1094b4cfb7570af29772d1a02fd7 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Wed, 31 Jul 2019 13:57:10 -0400 Subject: [PATCH 74/79] fix: guarantee zone source dispatch is sorted by zone name Apparently users depend on firewalld sorting zone dispatch for sources by the zone name. This is used to specify precedence for overlapping address spaces. Since we have to track rule positions of source based dispatch we might as well abuse this and combine the source/interface dispatch into a single chain. Fixes: rhbz 1734765 Fixes: 70993581d79b ("fix: do not allow zone drifting") (cherry picked from commit afc35c20e58b00b81cd2e1f3e863b3b3bac37c77) (cherry picked from commit a3542499510658b7d93a83d47d3de090860d6e37) --- src/firewall/core/ipXtables.py | 93 ++++++++--- src/firewall/core/nftables.py | 93 ++++++++--- src/tests/firewall-cmd.at | 4 +- src/tests/regression/gh258.at | 274 ++++++++++----------------------- 4 files changed, 223 insertions(+), 241 deletions(-) diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py index c2339e40539a..647a7a161517 100644 --- a/src/firewall/core/ipXtables.py +++ b/src/firewall/core/ipXtables.py @@ -20,6 +20,7 @@ # import os.path +import copy from firewall.core.base import SHORTCUTS, DEFAULT_ZONE_TARGET from firewall.core.prog import runProg @@ -175,6 +176,7 @@ class ip4tables(object): self.restore_wait_option = self._detect_restore_wait_option() self.fill_exists() self.available_tables = [] + self.zone_source_index_cache = [] self.our_chains = {} # chains created by firewalld def fill_exists(self): @@ -286,10 +288,49 @@ class ip4tables(object): chain = args[i+1] return (table, chain) + def _run_replace_zone_source(self, rule, zone_source_index_cache): + try: + i = rule.index("%%ZONE_SOURCE%%") + rule.pop(i) + zone = rule.pop(i) + if "-m" == rule[4]: # ipset/mac + zone_source = (zone, rule[7]) # (zone, address) + else: + zone_source = (zone, rule[5]) # (zone, address) + except ValueError: + try: + i = rule.index("%%ZONE_INTERFACE%%") + rule.pop(i) + zone_source = None + except ValueError: + return + + rule_add = True + if rule[0] in ["-D", "--delete"]: + rule_add = False + + if zone_source and not rule_add: + if zone_source in zone_source_index_cache: + zone_source_index_cache.remove(zone_source) + elif rule_add: + if zone_source: + # order source based dispatch by zone name + if zone_source not in zone_source_index_cache: + zone_source_index_cache.append(zone_source) + zone_source_index_cache.sort(key=lambda x: x[0]) + + index = zone_source_index_cache.index(zone_source) + else: + index = len(zone_source_index_cache) + + rule[0] = "-I" + rule.insert(2, "%d" % (index + 1)) + def set_rules(self, rules, log_denied): temp_file = tempFile() table_rules = { } + zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache) for _rule in rules: rule = _rule[:] @@ -313,6 +354,8 @@ class ip4tables(object): else: rule.pop(i) + self._run_replace_zone_source(rule, zone_source_index_cache) + table = "filter" # get table form rule for opt in [ "-t", "--table" ]: @@ -374,6 +417,7 @@ class ip4tables(object): if status != 0: raise ValueError("'%s %s' failed: %s" % (self._restore_command, " ".join(args), ret)) + self.zone_source_index_cache = zone_source_index_cache return ret def set_rule(self, rule, log_denied): @@ -397,7 +441,13 @@ class ip4tables(object): else: rule.pop(i) - return self.__run(rule) + zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache) + self._run_replace_zone_source(rule, zone_source_index_cache) + + output = self.__run(rule) + + self.zone_source_index_cache = zone_source_index_cache + return output def get_available_tables(self, table=None): ret = [] @@ -447,6 +497,7 @@ class ip4tables(object): return wait_option def build_flush_rules(self): + self.zone_source_index_cache = [] rules = [] for table in BUILT_IN_CHAINS.keys(): if not self.get_available_tables(table): @@ -527,10 +578,8 @@ class ip4tables(object): if chain == "PREROUTING": default_rules["raw"].append("-N %s_ZONES" % chain) - default_rules["raw"].append("-N %s_ZONES_IFACES" % chain) default_rules["raw"].append("-A %s -j %s_ZONES" % (chain, chain)) - default_rules["raw"].append("-A %s_ZONES -g %s_ZONES_IFACES" % (chain, chain)) - self.our_chains["raw"].update(set(["%s_ZONES" % chain, "%s_ZONES_IFACES" % chain])) + self.our_chains["raw"].update(set(["%s_ZONES" % chain])) if self.get_available_tables("mangle"): default_rules["mangle"] = [ ] @@ -542,10 +591,8 @@ class ip4tables(object): if chain == "PREROUTING": default_rules["mangle"].append("-N %s_ZONES" % chain) - default_rules["mangle"].append("-N %s_ZONES_IFACES" % chain) default_rules["mangle"].append("-A %s -j %s_ZONES" % (chain, chain)) - default_rules["mangle"].append("-A %s_ZONES -g %s_ZONES_IFACES" % (chain, chain)) - self.our_chains["mangle"].update(set(["%s_ZONES" % chain, "%s_ZONES_IFACES" % chain])) + self.our_chains["mangle"].update(set(["%s_ZONES" % chain])) if self.get_available_tables("nat"): default_rules["nat"] = [ ] @@ -557,21 +604,17 @@ class ip4tables(object): if chain in [ "PREROUTING", "POSTROUTING" ]: default_rules["nat"].append("-N %s_ZONES" % chain) - default_rules["nat"].append("-N %s_ZONES_IFACES" % chain) default_rules["nat"].append("-A %s -j %s_ZONES" % (chain, chain)) - default_rules["nat"].append("-A %s_ZONES -g %s_ZONES_IFACES" % (chain, chain)) - self.our_chains["nat"].update(set(["%s_ZONES" % chain, "%s_ZONES_IFACES" % chain])) + self.our_chains["nat"].update(set(["%s_ZONES" % chain])) default_rules["filter"] = [ "-N INPUT_direct", "-N INPUT_ZONES", - "-N INPUT_ZONES_IFACES", "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT", "-A INPUT -i lo -j ACCEPT", "-A INPUT -j INPUT_direct", "-A INPUT -j INPUT_ZONES", - "-A INPUT_ZONES -g INPUT_ZONES_IFACES", ] if log_denied != "off": default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '") @@ -584,16 +627,12 @@ class ip4tables(object): "-N FORWARD_direct", "-N FORWARD_IN_ZONES", "-N FORWARD_OUT_ZONES", - "-N FORWARD_IN_ZONES_IFACES", - "-N FORWARD_OUT_ZONES_IFACES", "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT", "-A FORWARD -i lo -j ACCEPT", "-A FORWARD -j FORWARD_direct", "-A FORWARD -j FORWARD_IN_ZONES", "-A FORWARD -j FORWARD_OUT_ZONES", - "-A FORWARD_IN_ZONES -g FORWARD_IN_ZONES_IFACES", - "-A FORWARD_OUT_ZONES -g FORWARD_OUT_ZONES_IFACES", ] if log_denied != "off": default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '") @@ -609,10 +648,9 @@ class ip4tables(object): "-A OUTPUT -j OUTPUT_direct", ] - self.our_chains["filter"] = set(["INPUT_direct", "INPUT_ZONES", "INPUT_ZONES_IFACES" + self.our_chains["filter"] = set(["INPUT_direct", "INPUT_ZONES", "FORWARD_direct", "FORWARD_IN_ZONES", - "FORWARD_IN_ZONES_IFACES" "FORWARD_OUT_ZONES", - "FORWARD_OUT_ZONES_IFACES", "OUTPUT_direct"]) + "FORWARD_OUT_ZONES", "OUTPUT_direct"]) final_default_rules = [] for table in default_rules: @@ -656,11 +694,13 @@ class ip4tables(object): action = "-g" if enable and not append: - rule = [ "-I", "%s_ZONES_IFACES" % chain, "1" ] + rule = [ "-I", "%s_ZONES" % chain, "%%ZONE_INTERFACE%%" ] elif enable: - rule = [ "-A", "%s_ZONES_IFACES" % chain ] + rule = [ "-A", "%s_ZONES" % chain ] else: - rule = [ "-D", "%s_ZONES_IFACES" % chain ] + rule = [ "-D", "%s_ZONES" % chain ] + if not append: + rule += ["%%ZONE_INTERFACE%%"] rule += [ "-t", table, opt, interface, action, target ] return [rule] @@ -688,7 +728,8 @@ class ip4tables(object): opt = "src" flags = ",".join([opt] * self._fw.ipset.get_dimension(name)) rule = [ add_del, - "%s_ZONES" % chain, "-t", table, + "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone, + "-t", table, "-m", "set", "--match-set", name, flags, action, target ] else: @@ -697,12 +738,14 @@ class ip4tables(object): if opt == "-d": return "" rule = [ add_del, - "%s_ZONES" % chain, "-t", table, + "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone, + "-t", table, "-m", "mac", "--mac-source", address.upper(), action, target ] else: rule = [ add_del, - "%s_ZONES" % chain, "-t", table, + "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone, + "-t", table, opt, address, action, target ] return [rule] diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py index 0fe686a01878..05376fdd68d8 100644 --- a/src/firewall/core/nftables.py +++ b/src/firewall/core/nftables.py @@ -20,6 +20,7 @@ # import os.path +import copy from firewall.core.base import SHORTCUTS, DEFAULT_ZONE_TARGET from firewall.core.prog import runProg @@ -160,11 +161,54 @@ class nftables(object): self.available_tables = [] self.rule_to_handle = {} self.rule_ref_count = {} + self.zone_source_index_cache = {} def fill_exists(self): self.command_exists = os.path.exists(self._command) self.restore_command_exists = False + def _run_replace_zone_source(self, rule_add, rule, zone_source_index_cache): + try: + i = rule.index("%%ZONE_SOURCE%%") + rule.pop(i) + zone = rule.pop(i) + zone_source = (zone, rule[7]) # (zone, address) + except ValueError: + try: + i = rule.index("%%ZONE_INTERFACE%%") + rule.pop(i) + zone_source = None + except ValueError: + return + + family = rule[2] + + if zone_source and not rule_add: + if family in zone_source_index_cache and \ + zone_source in zone_source_index_cache[family]: + zone_source_index_cache[family].remove(zone_source) + elif rule_add: + if family not in zone_source_index_cache: + zone_source_index_cache[family] = [] + + if zone_source: + # order source based dispatch by zone name + if zone_source not in zone_source_index_cache[family]: + zone_source_index_cache[family].append(zone_source) + zone_source_index_cache[family].sort(key=lambda x: x[0]) + + index = zone_source_index_cache[family].index(zone_source) + else: + index = len(zone_source_index_cache[family]) + + if index == 0: + rule[0] = "insert" + else: + index -= 1 # point to the rule before insertion point + rule[0] = "add" + rule.insert(i, "index") + rule.insert(i+1, "%d" % index) + def __run(self, args): nft_opts = ["--echo", "--handle"] _args = args[:] @@ -198,11 +242,6 @@ class nftables(object): rule_add = False rule_key = _args[2:] rule_key = " ".join(rule_key) - # delete using rule handle - _args = ["delete", "rule"] + _args[2:5] + \ - ["handle", self.rule_to_handle[rule_key]] - - _args_str = " ".join(_args) # rule deduplication if rule_key in self.rule_ref_count: @@ -218,15 +257,28 @@ class nftables(object): raise FirewallError(UNKNOWN_ERROR, "rule ref count bug: rule_key '%s', cnt %d" % (rule_key, self.rule_ref_count[rule_key])) log.debug2("%s: rule ref cnt %d, %s %s", self.__class__, - self.rule_ref_count[rule_key], self._command, _args_str) + self.rule_ref_count[rule_key], self._command, " ".join(_args)) + + if rule_key: + zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache) + self._run_replace_zone_source(rule_add, _args, zone_source_index_cache) if not rule_key or (not rule_add and self.rule_ref_count[rule_key] == 0) \ or ( rule_add and rule_key not in self.rule_ref_count): + # delete using rule handle + if rule_key and not rule_add: + _args = ["delete", "rule"] + _args[2:5] + \ + ["handle", self.rule_to_handle[rule_key]] + _args_str = " ".join(_args) log.debug2("%s: %s %s", self.__class__, self._command, _args_str) (status, output) = runProg(self._command, nft_opts + _args) if status != 0: raise ValueError("'%s %s' failed: %s" % (self._command, _args_str, output)) + + if rule_key: + self.zone_source_index_cache = zone_source_index_cache + # nft requires deleting rules by handle. So we must cache the rule # handle when adding/inserting rules. # @@ -303,6 +355,7 @@ class nftables(object): def build_flush_rules(self): self.rule_to_handle = {} self.rule_ref_count = {} + self.zone_source_index_cache = {} rules = [] for family in OUR_CHAINS.keys(): @@ -359,10 +412,8 @@ class nftables(object): IPTABLES_TO_NFT_HOOK["raw"][chain][1])) default_rules.append("add chain inet %s raw_%s_ZONES" % (TABLE_NAME, chain)) - default_rules.append("add chain inet %s raw_%s_ZONES_IFACES" % (TABLE_NAME, chain)) default_rules.append("add rule inet %s raw_%s jump raw_%s_ZONES" % (TABLE_NAME, chain, chain)) - default_rules.append("add rule inet %s raw_%s_ZONES goto raw_%s_ZONES_IFACES" % (TABLE_NAME, chain, chain)) - OUR_CHAINS["inet"]["raw"].update(set(["%s_ZONES_IFACES" % chain, "%s_ZONES" % chain])) + OUR_CHAINS["inet"]["raw"].update(set(["%s_ZONES" % chain])) OUR_CHAINS["inet"]["mangle"] = set() for chain in IPTABLES_TO_NFT_HOOK["mangle"].keys(): @@ -372,10 +423,8 @@ class nftables(object): IPTABLES_TO_NFT_HOOK["mangle"][chain][1])) default_rules.append("add chain inet %s mangle_%s_ZONES" % (TABLE_NAME, chain)) - default_rules.append("add chain inet %s mangle_%s_ZONES_IFACES" % (TABLE_NAME, chain)) default_rules.append("add rule inet %s mangle_%s jump mangle_%s_ZONES" % (TABLE_NAME, chain, chain)) - default_rules.append("add rule inet %s mangle_%s_ZONES goto mangle_%s_ZONES_IFACES" % (TABLE_NAME, chain, chain)) - OUR_CHAINS["inet"]["mangle"].update(set(["%s_ZONES_IFACES" % chain, "%s_ZONES" % chain])) + OUR_CHAINS["inet"]["mangle"].update(set(["%s_ZONES" % chain])) OUR_CHAINS["ip"]["nat"] = set() OUR_CHAINS["ip6"]["nat"] = set() @@ -387,10 +436,8 @@ class nftables(object): IPTABLES_TO_NFT_HOOK["nat"][chain][1])) default_rules.append("add chain %s %s nat_%s_ZONES" % (family, TABLE_NAME, chain)) - default_rules.append("add chain %s %s nat_%s_ZONES_IFACES" % (family, TABLE_NAME, chain)) default_rules.append("add rule %s %s nat_%s jump nat_%s_ZONES" % (family, TABLE_NAME, chain, chain)) - default_rules.append("add rule %s %s nat_%s_ZONES goto nat_%s_ZONES_IFACES" % (family, TABLE_NAME, chain, chain)) - OUR_CHAINS[family]["nat"].update(set(["%s_ZONES_IFACES" % chain, "%s_ZONES" % chain])) + OUR_CHAINS[family]["nat"].update(set(["%s_ZONES" % chain])) OUR_CHAINS["inet"]["filter"] = set() for chain in IPTABLES_TO_NFT_HOOK["filter"].keys(): @@ -401,11 +448,9 @@ class nftables(object): # filter, INPUT default_rules.append("add chain inet %s filter_%s_ZONES" % (TABLE_NAME, "INPUT")) - default_rules.append("add chain inet %s filter_%s_ZONES_IFACES" % (TABLE_NAME, "INPUT")) default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "INPUT")) default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "INPUT")) default_rules.append("add rule inet %s filter_%s jump filter_%s_ZONES" % (TABLE_NAME, "INPUT", "INPUT")) - default_rules.append("add rule inet %s filter_%s_ZONES goto filter_%s_ZONES_IFACES" % (TABLE_NAME, "INPUT", "INPUT")) if log_denied != "off": default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "INPUT")) default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "INPUT")) @@ -415,15 +460,11 @@ class nftables(object): # filter, FORWARD default_rules.append("add chain inet %s filter_%s_IN_ZONES" % (TABLE_NAME, "FORWARD")) - default_rules.append("add chain inet %s filter_%s_IN_ZONES_IFACES" % (TABLE_NAME, "FORWARD")) default_rules.append("add chain inet %s filter_%s_OUT_ZONES" % (TABLE_NAME, "FORWARD")) - default_rules.append("add chain inet %s filter_%s_OUT_ZONES_IFACES" % (TABLE_NAME, "FORWARD")) default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "FORWARD")) default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "FORWARD")) default_rules.append("add rule inet %s filter_%s jump filter_%s_IN_ZONES" % (TABLE_NAME, "FORWARD", "FORWARD")) default_rules.append("add rule inet %s filter_%s jump filter_%s_OUT_ZONES" % (TABLE_NAME, "FORWARD", "FORWARD")) - default_rules.append("add rule inet %s filter_%s_IN_ZONES goto filter_%s_IN_ZONES_IFACES" % (TABLE_NAME, "FORWARD", "FORWARD")) - default_rules.append("add rule inet %s filter_%s_OUT_ZONES goto filter_%s_OUT_ZONES_IFACES" % (TABLE_NAME, "FORWARD", "FORWARD")) if log_denied != "off": default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "FORWARD")) default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "FORWARD")) @@ -482,11 +523,14 @@ class nftables(object): action = "goto" if enable and not append: - rule = ["insert", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES_IFACES" % (table, chain)] + rule = ["insert", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % (table, chain), + "%%ZONE_INTERFACE%%"] elif enable: - rule = ["add", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES_IFACES" % (table, chain)] + rule = ["add", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % (table, chain)] else: - rule = ["delete", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES_IFACES" % (table, chain)] + rule = ["delete", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % (table, chain)] + if not append: + rule += ["%%ZONE_INTERFACE%%"] if interface == "*": rule += [action, "%s_%s" % (table, target)] else: @@ -537,6 +581,7 @@ class nftables(object): rule = [add_del, "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % (table, chain), + "%%ZONE_SOURCE%%", zone, rule_family, opt, address, action, "%s_%s" % (table, target)] return [rule] diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at index 28948636172d..6a4b670d7935 100644 --- a/src/tests/firewall-cmd.at +++ b/src/tests/firewall-cmd.at @@ -138,9 +138,9 @@ FWD_START_TEST([zone interfaces]) FWD_CHECK([--add-interface=foobar+++], 0, ignore) FWD_CHECK([--add-interface=foobar+], 0, ignore) m4_if(nftables, FIREWALL_BACKEND, [ - NFT_LIST_RULES([inet], [filter_INPUT_ZONES_IFACES], 0, [dnl + NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl table inet firewalld { - chain filter_INPUT_ZONES_IFACES { + chain filter_INPUT_ZONES { iifname "foobar*" goto filter_IN_public iifname "foobar++*" goto filter_IN_public goto filter_IN_trusted diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at index 3e5e961f6599..fb863c35528e 100644 --- a/src/tests/regression/gh258.at +++ b/src/tests/regression/gh258.at @@ -26,13 +26,6 @@ NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl chain filter_INPUT_ZONES { ip6 saddr dead:beef::/54 goto filter_IN_public ip saddr 1.2.3.0/24 goto filter_IN_work - goto filter_INPUT_ZONES_IFACES - } - } -]) -NFT_LIST_RULES([inet], [filter_INPUT_ZONES_IFACES], 0, [dnl - table inet firewalld { - chain filter_INPUT_ZONES_IFACES { iifname "dummy1" goto filter_IN_public iifname "dummy0" goto filter_IN_work goto filter_IN_public @@ -56,13 +49,6 @@ NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl chain filter_FORWARD_IN_ZONES { ip6 saddr dead:beef::/54 goto filter_FWDI_public ip saddr 1.2.3.0/24 goto filter_FWDI_work - goto filter_FORWARD_IN_ZONES_IFACES - } - } -]) -NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_IFACES], 0, [dnl - table inet firewalld { - chain filter_FORWARD_IN_ZONES_IFACES { iifname "dummy1" goto filter_FWDI_public iifname "dummy0" goto filter_FWDI_work goto filter_FWDI_public @@ -74,13 +60,6 @@ NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl chain filter_FORWARD_OUT_ZONES { ip6 daddr dead:beef::/54 goto filter_FWDO_public ip daddr 1.2.3.0/24 goto filter_FWDO_work - goto filter_FORWARD_OUT_ZONES_IFACES - } - } -]) -NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_IFACES], 0, [dnl - table inet firewalld { - chain filter_FORWARD_OUT_ZONES_IFACES { oifname "dummy1" goto filter_FWDO_public oifname "dummy0" goto filter_FWDO_work goto filter_FWDO_public @@ -103,13 +82,6 @@ NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl chain raw_PREROUTING_ZONES { ip6 saddr dead:beef::/54 goto raw_PRE_public ip saddr 1.2.3.0/24 goto raw_PRE_work - goto raw_PREROUTING_ZONES_IFACES - } - } -]) -NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_IFACES], 0, [dnl - table inet firewalld { - chain raw_PREROUTING_ZONES_IFACES { iifname "dummy1" goto raw_PRE_public iifname "dummy0" goto raw_PRE_work goto raw_PRE_public @@ -128,13 +100,6 @@ NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl chain mangle_PREROUTING_ZONES { ip6 saddr dead:beef::/54 goto mangle_PRE_public ip saddr 1.2.3.0/24 goto mangle_PRE_work - goto mangle_PREROUTING_ZONES_IFACES - } - } -]) -NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_IFACES], 0, [dnl - table inet firewalld { - chain mangle_PREROUTING_ZONES_IFACES { iifname "dummy1" goto mangle_PRE_public iifname "dummy0" goto mangle_PRE_work goto mangle_PRE_public @@ -152,13 +117,6 @@ NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl table ip firewalld { chain nat_PREROUTING_ZONES { ip saddr 1.2.3.0/24 goto nat_PRE_work - goto nat_PREROUTING_ZONES_IFACES - } - } -]) -NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_IFACES], 0, [dnl - table ip firewalld { - chain nat_PREROUTING_ZONES_IFACES { iifname "dummy1" goto nat_PRE_public iifname "dummy0" goto nat_PRE_work goto nat_PRE_public @@ -176,13 +134,6 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl table ip firewalld { chain nat_POSTROUTING_ZONES { ip daddr 1.2.3.0/24 goto nat_POST_work - goto nat_POSTROUTING_ZONES_IFACES - } - } -]) -NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl - table ip firewalld { - chain nat_POSTROUTING_ZONES_IFACES { oifname "dummy1" goto nat_POST_public oifname "dummy0" goto nat_POST_work goto nat_POST_public @@ -200,13 +151,6 @@ NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl table ip6 firewalld { chain nat_PREROUTING_ZONES { ip6 saddr dead:beef::/54 goto nat_PRE_public - goto nat_PREROUTING_ZONES_IFACES - } - } -]) -NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_IFACES], 0, [dnl - table ip6 firewalld { - chain nat_PREROUTING_ZONES_IFACES { iifname "dummy1" goto nat_PRE_public iifname "dummy0" goto nat_PRE_work goto nat_PRE_public @@ -224,13 +168,6 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl table ip6 firewalld { chain nat_POSTROUTING_ZONES { ip6 daddr dead:beef::/54 goto nat_POST_public - goto nat_POSTROUTING_ZONES_IFACES - } - } -]) -NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl - table ip firewalld { - chain nat_POSTROUTING_ZONES_IFACES { oifname "dummy1" goto nat_POST_public oifname "dummy0" goto nat_POST_work goto nat_POST_public @@ -247,15 +184,12 @@ IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ]) -IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [dnl - IN_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@ - INPUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) -IPTABLES_LIST_RULES([filter], [INPUT_ZONES_IFACES], 0, [dnl - IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - IN_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) +IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, + [[IN_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] + IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + IN_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 @@ -265,77 +199,58 @@ IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ]) -IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [dnl - FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@ - FORWARD_IN_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) -IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_IFACES], 0, [dnl - FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) -IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [dnl - FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@ - FORWARD_OUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) -IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_IFACES], 0, [dnl - FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) +IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, + [[FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] + FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) +IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, + [[FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 [goto] + FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ]) -IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [dnl - PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@ - PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) -IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_IFACES], 0, [dnl - PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) +IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, + [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ]) -IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [dnl - PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@ - PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) -IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_IFACES], 0, [dnl - PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) +IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, + [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ]) -IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [dnl - PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@ - PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) -IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_IFACES], 0, [dnl - PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) +IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, + [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ]) -IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [dnl - POST_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@ - POSTROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) -IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_IFACES], 0, [dnl - POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - POST_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ - POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ -]) - +IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, + [[POST_work all -- 0.0.0.0/0 1.2.3.0/24 [goto] + POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + POST_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +]]) IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED @@ -345,15 +260,12 @@ IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl DROP all ::/0 ::/0 ctstate INVALID REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited ]) -IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [dnl - IN_public all dead:beef::/54 ::/0 @<:@goto@:>@ - INPUT_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ -]) -IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_IFACES], 0, [dnl - IN_public all ::/0 ::/0 @<:@goto@:>@ - IN_work all ::/0 ::/0 @<:@goto@:>@ - IN_public all ::/0 ::/0 @<:@goto@:>@ -]) +IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, + [[IN_public all dead:beef::/54 ::/0 [goto] + IN_public all ::/0 ::/0 [goto] + IN_work all ::/0 ::/0 [goto] + IN_public all ::/0 ::/0 [goto] +]]) IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 ::/0 @@ -363,24 +275,18 @@ IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl DROP all ::/0 ::/0 ctstate INVALID REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited ]) -IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [dnl - FWDI_public all dead:beef::/54 ::/0 @<:@goto@:>@ - FORWARD_IN_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ -]) -IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_IFACES], 0, [dnl - FWDI_public all ::/0 ::/0 @<:@goto@:>@ - FWDI_work all ::/0 ::/0 @<:@goto@:>@ - FWDI_public all ::/0 ::/0 @<:@goto@:>@ -]) -IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [dnl - FWDO_public all ::/0 dead:beef::/54 @<:@goto@:>@ - FORWARD_OUT_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ -]) -IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_IFACES], 0, [dnl - FWDO_public all ::/0 ::/0 @<:@goto@:>@ - FWDO_work all ::/0 ::/0 @<:@goto@:>@ - FWDO_public all ::/0 ::/0 @<:@goto@:>@ -]) +IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, + [[FWDI_public all dead:beef::/54 ::/0 [goto] + FWDI_public all ::/0 ::/0 [goto] + FWDI_work all ::/0 ::/0 [goto] + FWDI_public all ::/0 ::/0 [goto] +]]) +IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, + [[FWDO_public all ::/0 dead:beef::/54 [goto] + FWDO_public all ::/0 ::/0 [goto] + FWDO_work all ::/0 ::/0 [goto] + FWDO_public all ::/0 ::/0 [goto] +]]) IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135 @@ -388,54 +294,42 @@ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl PREROUTING_direct all ::/0 ::/0 PREROUTING_ZONES all ::/0 ::/0 ]) -IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [dnl - PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@ - PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ -]) -IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES_IFACES], 0, [dnl - PRE_public all ::/0 ::/0 @<:@goto@:>@ - PRE_work all ::/0 ::/0 @<:@goto@:>@ - PRE_public all ::/0 ::/0 @<:@goto@:>@ -]) +IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, + [[PRE_public all dead:beef::/54 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] + PRE_work all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] +]]) IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl PREROUTING_direct all ::/0 ::/0 PREROUTING_ZONES all ::/0 ::/0 ]) -IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [dnl - PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@ - PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ -]) -IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES_IFACES], 0, [dnl - PRE_public all ::/0 ::/0 @<:@goto@:>@ - PRE_work all ::/0 ::/0 @<:@goto@:>@ - PRE_public all ::/0 ::/0 @<:@goto@:>@ -]) +IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, + [[PRE_public all dead:beef::/54 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] + PRE_work all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] +]]) IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl PREROUTING_direct all ::/0 ::/0 PREROUTING_ZONES all ::/0 ::/0 ]) -IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [dnl - PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@ - PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ -]) -IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES_IFACES], 0, [dnl - PRE_public all ::/0 ::/0 @<:@goto@:>@ - PRE_work all ::/0 ::/0 @<:@goto@:>@ - PRE_public all ::/0 ::/0 @<:@goto@:>@ -]) +IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, + [[PRE_public all dead:beef::/54 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] + PRE_work all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] +]]) IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl POSTROUTING_direct all ::/0 ::/0 POSTROUTING_ZONES all ::/0 ::/0 ]) -IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [dnl - POST_public all ::/0 dead:beef::/54 @<:@goto@:>@ - POSTROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ -]) -IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_IFACES], 0, [dnl - POST_public all ::/0 ::/0 @<:@goto@:>@ - POST_work all ::/0 ::/0 @<:@goto@:>@ - POST_public all ::/0 ::/0 @<:@goto@:>@ -]) +IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, + [[POST_public all ::/0 dead:beef::/54 [goto] + POST_public all ::/0 ::/0 [goto] + POST_work all ::/0 ::/0 [goto] + POST_public all ::/0 ::/0 [goto] +]]) ]) FWD_END_TEST -- 2.20.1