rpms / firewalld

Clone
Source Code
GIT

Blame SOURCES/0033-test-verify-AllowZoneDrifting-yes.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   40251c0f663f4954f9c601dbb93aed1d85f9f7d4
  2.   SOURCES
  3.   0033-test-verify-AllowZoneDrifting-yes.patch
Blob History Raw
40251c 
From 3e3369ef14f4eba22a5c37113ba6d5e19c7ebc24 Mon Sep 17 00:00:00 2001
087194 
From: Eric Garver <eric@garver.life>
087194 
Date: Sun, 19 Jan 2020 16:49:14 -0500
40251c 
Subject: [PATCH 33/37] test: verify AllowZoneDrifting=yes
087194
087194 
Verify the zone dispatch layout.
087194
087194 
(cherry picked from commit bca4e6af91fc4c6a55f7c2bce9e4fe7bcee526a1)
40251c 
(cherry picked from commit 8f9ba9bc80f039408992e1b780bca0beab8bd92c)
087194 
---
087194 
 src/tests/regression/gh258.at       | 536 +++++++++++++++++++++++++---
087194 
 src/tests/regression/rhbz1734765.at | 180 +++++++++-
087194 
 2 files changed, 671 insertions(+), 45 deletions(-)
087194
087194 
diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
40251c 
index 4bbea4c25442..d414c611fa26 100644
087194 
--- a/src/tests/regression/gh258.at
087194 
+++ b/src/tests/regression/gh258.at
087194 
@@ -1,12 +1,15 @@
087194 
 FWD_START_TEST([zone dispatch layout])
087194 
-AT_KEYWORDS(zone gh258 gh441 rhbz1713823)
087194 
+AT_KEYWORDS(zone gh258 gh441 rhbz1713823 rhbz1772208 rhbz1796055)
087194
087194 
-FWD_CHECK([--zone=work --add-source="1.2.3.0/24"], 0, ignore)
087194 
+FWD_CHECK([--permanent --zone=trusted --add-source="1.2.3.0/24"], 0, ignore)
40251c 
 IF_HOST_SUPPORTS_IPV6_RULES([
087194 
-FWD_CHECK([--zone=public --add-source="dead:beef::/54"], 0, ignore)
087194 
+FWD_CHECK([--permanent --zone=public --add-source="dead:beef::/54"], 0, ignore)
087194 
 ])
087194 
-FWD_CHECK([--zone=work --add-interface=dummy0], 0, ignore)
087194 
-FWD_CHECK([--zone=public --add-interface=dummy1], 0, ignore)
087194 
+FWD_CHECK([--permanent --zone=trusted --add-interface=dummy0], 0, ignore)
087194 
+FWD_CHECK([--permanent --zone=public --add-interface=dummy1], 0, ignore)
087194 
+
087194 
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
087194 
+FWD_RELOAD
087194
087194 
 dnl verify layout of zone dispatch
087194 
 NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl
087194 
@@ -25,9 +28,9 @@ NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
087194 
     table inet firewalld {
087194 
         chain filter_INPUT_ZONES {
087194 
             ip6 saddr dead:beef::/54 goto filter_IN_public
087194 
-            ip saddr 1.2.3.0/24 goto filter_IN_work
087194 
+            ip saddr 1.2.3.0/24 goto filter_IN_trusted
087194 
+            iifname "dummy0" goto filter_IN_trusted
087194 
             iifname "dummy1" goto filter_IN_public
087194 
-            iifname "dummy0" goto filter_IN_work
087194 
             goto filter_IN_public
087194 
         }
087194 
     }
087194 
@@ -50,9 +53,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl
087194 
     table inet firewalld {
087194 
         chain filter_FORWARD_IN_ZONES {
087194 
             ip6 saddr dead:beef::/54 goto filter_FWDI_public
087194 
-            ip saddr 1.2.3.0/24 goto filter_FWDI_work
087194 
+            ip saddr 1.2.3.0/24 goto filter_FWDI_trusted
087194 
+            iifname "dummy0" goto filter_FWDI_trusted
087194 
             iifname "dummy1" goto filter_FWDI_public
087194 
-            iifname "dummy0" goto filter_FWDI_work
087194 
             goto filter_FWDI_public
087194 
         }
087194 
     }
087194 
@@ -61,9 +64,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl
087194 
     table inet firewalld {
087194 
         chain filter_FORWARD_OUT_ZONES {
087194 
             ip6 daddr dead:beef::/54 goto filter_FWDO_public
087194 
-            ip daddr 1.2.3.0/24 goto filter_FWDO_work
087194 
+            ip daddr 1.2.3.0/24 goto filter_FWDO_trusted
087194 
+            oifname "dummy0" goto filter_FWDO_trusted
087194 
             oifname "dummy1" goto filter_FWDO_public
087194 
-            oifname "dummy0" goto filter_FWDO_work
087194 
             goto filter_FWDO_public
087194 
         }
087194 
     }
40251c 
@@ -91,9 +94,9 @@ NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
087194 
     table inet firewalld {
087194 
         chain raw_PREROUTING_ZONES {
087194 
             ip6 saddr dead:beef::/54 goto raw_PRE_public
087194 
-            ip saddr 1.2.3.0/24 goto raw_PRE_work
087194 
+            ip saddr 1.2.3.0/24 goto raw_PRE_trusted
087194 
+            iifname "dummy0" goto raw_PRE_trusted
087194 
             iifname "dummy1" goto raw_PRE_public
087194 
-            iifname "dummy0" goto raw_PRE_work
087194 
             goto raw_PRE_public
087194 
         }
087194 
     }
40251c 
@@ -109,9 +112,9 @@ NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl
087194 
     table inet firewalld {
087194 
         chain mangle_PREROUTING_ZONES {
087194 
             ip6 saddr dead:beef::/54 goto mangle_PRE_public
087194 
-            ip saddr 1.2.3.0/24 goto mangle_PRE_work
087194 
+            ip saddr 1.2.3.0/24 goto mangle_PRE_trusted
087194 
+            iifname "dummy0" goto mangle_PRE_trusted
087194 
             iifname "dummy1" goto mangle_PRE_public
087194 
-            iifname "dummy0" goto mangle_PRE_work
087194 
             goto mangle_PRE_public
087194 
         }
087194 
     }
40251c 
@@ -126,9 +129,9 @@ NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl
087194 
 NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl
087194 
     table ip firewalld {
087194 
         chain nat_PREROUTING_ZONES {
087194 
-            ip saddr 1.2.3.0/24 goto nat_PRE_work
087194 
+            ip saddr 1.2.3.0/24 goto nat_PRE_trusted
087194 
+            iifname "dummy0" goto nat_PRE_trusted
087194 
             iifname "dummy1" goto nat_PRE_public
087194 
-            iifname "dummy0" goto nat_PRE_work
087194 
             goto nat_PRE_public
087194 
         }
087194 
     }
40251c 
@@ -143,9 +146,9 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl
087194 
 NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
087194 
     table ip firewalld {
087194 
         chain nat_POSTROUTING_ZONES {
087194 
-            ip daddr 1.2.3.0/24 goto nat_POST_work
087194 
+            ip daddr 1.2.3.0/24 goto nat_POST_trusted
087194 
+            oifname "dummy0" goto nat_POST_trusted
087194 
             oifname "dummy1" goto nat_POST_public
087194 
-            oifname "dummy0" goto nat_POST_work
087194 
             goto nat_POST_public
087194 
         }
087194 
     }
40251c 
@@ -161,8 +164,8 @@ NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl
087194 
     table ip6 firewalld {
087194 
         chain nat_PREROUTING_ZONES {
087194 
             ip6 saddr dead:beef::/54 goto nat_PRE_public
087194 
+            iifname "dummy0" goto nat_PRE_trusted
087194 
             iifname "dummy1" goto nat_PRE_public
087194 
-            iifname "dummy0" goto nat_PRE_work
087194 
             goto nat_PRE_public
087194 
         }
087194 
     }
40251c 
@@ -178,8 +181,8 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
087194 
     table ip6 firewalld {
087194 
         chain nat_POSTROUTING_ZONES {
087194 
             ip6 daddr dead:beef::/54 goto nat_POST_public
087194 
+            oifname "dummy0" goto nat_POST_trusted
087194 
             oifname "dummy1" goto nat_POST_public
087194 
-            oifname "dummy0" goto nat_POST_work
087194 
             goto nat_POST_public
087194 
         }
087194 
     }
40251c 
@@ -194,9 +197,9 @@ IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
087194 
     REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
087194 
 ])
087194 
 IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
087194 
-  [[IN_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+  [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+    IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
-    IN_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
 ]])
087194 
 IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
40251c 
@@ -209,15 +212,15 @@ IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
087194 
     REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
087194 
 ])
087194 
 IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
087194 
-  [[FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+  [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+    FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
-    FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
 ]])
087194 
 IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
087194 
-  [[FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 [goto]
087194 
+  [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
087194 
+    FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
-    FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
 ]])
087194 
 IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
40251c 
@@ -225,9 +228,9 @@ IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
087194 
     PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
087194 
 ])
087194 
 IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
087194 
-  [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+  [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+    PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
-    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
 ]])
087194 
 IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
40251c 
@@ -235,9 +238,9 @@ IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
087194 
     PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
087194 
 ])
087194 
 IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
087194 
-  [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+  [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+    PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
-    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
 ]])
087194 
 IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
40251c 
@@ -245,9 +248,9 @@ IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
087194 
     PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
087194 
 ])
087194 
 IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
087194 
-  [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+  [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+    PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
-    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
 ]])
087194 
 IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
40251c 
@@ -255,9 +258,9 @@ IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
087194 
     POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
087194 
 ])
087194 
 IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
087194 
-  [[POST_work all -- 0.0.0.0/0 1.2.3.0/24 [goto]
087194 
+  [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
087194 
+    POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
-    POST_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
     POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
 ]])
087194
40251c 
@@ -271,8 +274,8 @@ IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
087194 
 ])
087194 
 IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
087194 
   [[IN_public all dead:beef::/54 ::/0 [goto]
087194 
+    IN_trusted all ::/0 ::/0 [goto]
087194 
     IN_public all ::/0 ::/0 [goto]
087194 
-    IN_work all ::/0 ::/0 [goto]
087194 
     IN_public all ::/0 ::/0 [goto]
087194 
 ]])
087194 
 IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
40251c 
@@ -287,14 +290,14 @@ IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
087194 
 ])
087194 
 IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
087194 
   [[FWDI_public all dead:beef::/54 ::/0 [goto]
087194 
+    FWDI_trusted all ::/0 ::/0 [goto]
087194 
     FWDI_public all ::/0 ::/0 [goto]
087194 
-    FWDI_work all ::/0 ::/0 [goto]
087194 
     FWDI_public all ::/0 ::/0 [goto]
087194 
 ]])
087194 
 IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
087194 
   [[FWDO_public all ::/0 dead:beef::/54 [goto]
087194 
+    FWDO_trusted all ::/0 ::/0 [goto]
087194 
     FWDO_public all ::/0 ::/0 [goto]
087194 
-    FWDO_work all ::/0 ::/0 [goto]
087194 
     FWDO_public all ::/0 ::/0 [goto]
087194 
 ]])
087194 
 IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
40251c 
@@ -306,8 +309,8 @@ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
087194 
 ])
087194 
 IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
087194 
   [[PRE_public all dead:beef::/54 ::/0 [goto]
087194 
+    PRE_trusted all ::/0 ::/0 [goto]
087194 
     PRE_public all ::/0 ::/0 [goto]
087194 
-    PRE_work all ::/0 ::/0 [goto]
087194 
     PRE_public all ::/0 ::/0 [goto]
087194 
 ]])
087194 
 IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
40251c 
@@ -316,8 +319,8 @@ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
087194 
 ])
087194 
 IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
087194 
   [[PRE_public all dead:beef::/54 ::/0 [goto]
087194 
+    PRE_trusted all ::/0 ::/0 [goto]
087194 
     PRE_public all ::/0 ::/0 [goto]
087194 
-    PRE_work all ::/0 ::/0 [goto]
087194 
     PRE_public all ::/0 ::/0 [goto]
087194 
 ]])
087194 
 IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
40251c 
@@ -326,8 +329,8 @@ IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
087194 
 ])
087194 
 IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
087194 
   [[PRE_public all dead:beef::/54 ::/0 [goto]
087194 
+    PRE_trusted all ::/0 ::/0 [goto]
087194 
     PRE_public all ::/0 ::/0 [goto]
087194 
-    PRE_work all ::/0 ::/0 [goto]
087194 
     PRE_public all ::/0 ::/0 [goto]
087194 
 ]])
087194 
 IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
40251c 
@@ -336,9 +339,456 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
087194 
 ])
087194 
 IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
087194 
   [[POST_public all ::/0 dead:beef::/54 [goto]
087194 
+    POST_trusted all ::/0 ::/0 [goto]
087194 
+    POST_public all ::/0 ::/0 [goto]
087194 
+    POST_public all ::/0 ::/0 [goto]
087194 
+]])
087194 
+
087194 
+dnl ##########################################################################
087194 
+dnl ##########################################################################
087194 
+dnl We also support zone drifting in which source based zones fall through to
087194 
+dnl interface based zones (including default zone).
087194 
+dnl ##########################################################################
087194 
+dnl ##########################################################################
087194 
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf])
087194 
+FWD_RELOAD
087194 
+
087194 
+NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain filter_INPUT {
087194 
+            ct state established,related accept
087194 
+            ct status dnat accept
087194 
+            iifname "lo" accept
087194 
+            jump filter_INPUT_ZONES_SOURCE
087194 
+            jump filter_INPUT_ZONES
087194 
+            ct state invalid drop
087194 
+            reject with icmpx type admin-prohibited
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain filter_INPUT_ZONES_SOURCE {
087194 
+            ip6 saddr dead:beef::/54 goto filter_IN_public
087194 
+            ip saddr 1.2.3.0/24 goto filter_IN_trusted
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain filter_INPUT_ZONES {
087194 
+            iifname "dummy0" goto filter_IN_trusted
087194 
+            iifname "dummy1" goto filter_IN_public
087194 
+            goto filter_IN_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain filter_FORWARD {
087194 
+            ct state established,related accept
087194 
+            ct status dnat accept
087194 
+            iifname "lo" accept
087194 
+            ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
087194 
+            jump filter_FORWARD_IN_ZONES_SOURCE
087194 
+            jump filter_FORWARD_IN_ZONES
087194 
+            jump filter_FORWARD_OUT_ZONES_SOURCE
087194 
+            jump filter_FORWARD_OUT_ZONES
087194 
+            ct state invalid drop
087194 
+            reject with icmpx type admin-prohibited
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_SOURCE], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain filter_FORWARD_IN_ZONES_SOURCE {
087194 
+            ip6 saddr dead:beef::/54 goto filter_FWDI_public
087194 
+            ip saddr 1.2.3.0/24 goto filter_FWDI_trusted
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain filter_FORWARD_IN_ZONES {
087194 
+            iifname "dummy0" goto filter_FWDI_trusted
087194 
+            iifname "dummy1" goto filter_FWDI_public
087194 
+            goto filter_FWDI_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_SOURCE], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain filter_FORWARD_OUT_ZONES_SOURCE {
087194 
+            ip6 daddr dead:beef::/54 goto filter_FWDO_public
087194 
+            ip daddr 1.2.3.0/24 goto filter_FWDO_trusted
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain filter_FORWARD_OUT_ZONES {
087194 
+            oifname "dummy0" goto filter_FWDO_trusted
087194 
+            oifname "dummy1" goto filter_FWDO_public
087194 
+            goto filter_FWDO_public
087194 
+        }
087194 
+    }
087194 
+])
40251c 
+IF_HOST_SUPPORTS_NFT_FIB([
087194 
+    NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
087194 
+        table inet firewalld {
087194 
+            chain raw_PREROUTING {
087194 
+                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
087194 
+                meta nfproto ipv6 fib saddr . iif oif missing drop
087194 
+                jump raw_PREROUTING_ZONES_SOURCE
087194 
+                jump raw_PREROUTING_ZONES
087194 
+            }
087194 
+        }
087194 
+    ])
087194 
+], [
087194 
+    NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
087194 
+        table inet firewalld {
087194 
+            chain raw_PREROUTING {
087194 
+                jump raw_PREROUTING_ZONES_SOURCE
087194 
+                jump raw_PREROUTING_ZONES
087194 
+            }
087194 
+        }
087194 
+    ])
087194 
+])
087194 
+NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_SOURCE], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain raw_PREROUTING_ZONES_SOURCE {
087194 
+            ip6 saddr dead:beef::/54 goto raw_PRE_public
087194 
+            ip saddr 1.2.3.0/24 goto raw_PRE_trusted
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain raw_PREROUTING_ZONES {
087194 
+            iifname "dummy0" goto raw_PRE_trusted
087194 
+            iifname "dummy1" goto raw_PRE_public
087194 
+            goto raw_PRE_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([inet], [mangle_PREROUTING], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain mangle_PREROUTING {
087194 
+            jump mangle_PREROUTING_ZONES_SOURCE
087194 
+            jump mangle_PREROUTING_ZONES
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_SOURCE], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain mangle_PREROUTING_ZONES_SOURCE {
087194 
+            ip6 saddr dead:beef::/54 goto mangle_PRE_public
087194 
+            ip saddr 1.2.3.0/24 goto mangle_PRE_trusted
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain mangle_PREROUTING_ZONES {
087194 
+            iifname "dummy0" goto mangle_PRE_trusted
087194 
+            iifname "dummy1" goto mangle_PRE_public
087194 
+            goto mangle_PRE_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl
087194 
+    table ip firewalld {
087194 
+        chain nat_PREROUTING {
087194 
+            jump nat_PREROUTING_ZONES_SOURCE
087194 
+            jump nat_PREROUTING_ZONES
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl
087194 
+    table ip firewalld {
087194 
+        chain nat_PREROUTING_ZONES_SOURCE {
087194 
+            ip saddr 1.2.3.0/24 goto nat_PRE_trusted
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl
087194 
+    table ip firewalld {
087194 
+        chain nat_PREROUTING_ZONES {
087194 
+            iifname "dummy0" goto nat_PRE_trusted
087194 
+            iifname "dummy1" goto nat_PRE_public
087194 
+            goto nat_PRE_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl
087194 
+    table ip firewalld {
087194 
+        chain nat_POSTROUTING {
087194 
+            jump nat_POSTROUTING_ZONES_SOURCE
087194 
+            jump nat_POSTROUTING_ZONES
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
087194 
+    table ip firewalld {
087194 
+        chain nat_POSTROUTING_ZONES_SOURCE {
087194 
+            ip daddr 1.2.3.0/24 goto nat_POST_trusted
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
087194 
+    table ip firewalld {
087194 
+        chain nat_POSTROUTING_ZONES {
087194 
+            oifname "dummy0" goto nat_POST_trusted
087194 
+            oifname "dummy1" goto nat_POST_public
087194 
+            goto nat_POST_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip6], [nat_PREROUTING], 0, [dnl
087194 
+    table ip6 firewalld {
087194 
+        chain nat_PREROUTING {
087194 
+            jump nat_PREROUTING_ZONES_SOURCE
087194 
+            jump nat_PREROUTING_ZONES
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl
087194 
+    table ip6 firewalld {
087194 
+        chain nat_PREROUTING_ZONES_SOURCE {
087194 
+            ip6 saddr dead:beef::/54 goto nat_PRE_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl
087194 
+    table ip6 firewalld {
087194 
+        chain nat_PREROUTING_ZONES {
087194 
+            iifname "dummy0" goto nat_PRE_trusted
087194 
+            iifname "dummy1" goto nat_PRE_public
087194 
+            goto nat_PRE_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip6], [nat_POSTROUTING], 0, [dnl
087194 
+    table ip6 firewalld {
087194 
+        chain nat_POSTROUTING {
087194 
+            jump nat_POSTROUTING_ZONES_SOURCE
087194 
+            jump nat_POSTROUTING_ZONES
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
087194 
+    table ip6 firewalld {
087194 
+        chain nat_POSTROUTING_ZONES_SOURCE {
087194 
+            ip6 daddr dead:beef::/54 goto nat_POST_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
087194 
+    table ip6 firewalld {
087194 
+        chain nat_POSTROUTING_ZONES {
087194 
+            oifname "dummy0" goto nat_POST_trusted
087194 
+            oifname "dummy1" goto nat_POST_public
087194 
+            goto nat_POST_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+
087194 
+IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
087194 
+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
087194 
+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
087194 
+    REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
087194 
+])
087194 
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
087194 
+  [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
087194 
+  [[IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
087194 
+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
087194 
+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
087194 
+    REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
087194 
+])
087194 
+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0,
087194 
+  [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
087194 
+  [[FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0,
087194 
+  [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
087194 
+  [[FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
087194 
+    PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
087194 
+])
087194 
+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0,
087194 
+  [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
087194 
+  [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
087194 
+    PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
087194 
+])
087194 
+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0,
087194 
+  [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
087194 
+  [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
087194 
+    PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
087194 
+])
087194 
+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0,
087194 
+  [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
087194 
+  [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
087194 
+    POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    POSTROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
087194 
+    POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
087194 
+])
087194 
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
087194 
+  [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
087194 
+  [[POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+]])
087194 
+
087194 
+IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
087194 
+    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
087194 
+    ACCEPT all ::/0 ::/0
087194 
+    INPUT_direct all ::/0 ::/0
087194 
+    INPUT_ZONES_SOURCE all ::/0 ::/0
087194 
+    INPUT_ZONES all ::/0 ::/0
087194 
+    DROP all ::/0 ::/0 ctstate INVALID
087194 
+    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
087194 
+])
087194 
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
087194 
+  [[IN_public all dead:beef::/54 ::/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
087194 
+  [[IN_trusted all ::/0 ::/0 [goto]
087194 
+    IN_public all ::/0 ::/0 [goto]
087194 
+    IN_public all ::/0 ::/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
087194 
+    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
087194 
+    ACCEPT all ::/0 ::/0
087194 
+    FORWARD_direct all ::/0 ::/0
087194 
+    RFC3964_IPv4 all ::/0 ::/0
087194 
+    FORWARD_IN_ZONES_SOURCE all ::/0 ::/0
087194 
+    FORWARD_IN_ZONES all ::/0 ::/0
087194 
+    FORWARD_OUT_ZONES_SOURCE all ::/0 ::/0
087194 
+    FORWARD_OUT_ZONES all ::/0 ::/0
087194 
+    DROP all ::/0 ::/0 ctstate INVALID
087194 
+    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
087194 
+])
087194 
+IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0,
087194 
+  [[FWDI_public all dead:beef::/54 ::/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
087194 
+  [[FWDI_trusted all ::/0 ::/0 [goto]
087194 
+    FWDI_public all ::/0 ::/0 [goto]
087194 
+    FWDI_public all ::/0 ::/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0,
087194 
+  [[FWDO_public all ::/0 dead:beef::/54 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
087194 
+  [[FWDO_trusted all ::/0 ::/0 [goto]
087194 
+    FWDO_public all ::/0 ::/0 [goto]
087194 
+    FWDO_public all ::/0 ::/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
087194 
+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
087194 
+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
087194 
+    DROP all ::/0 ::/0 rpfilter invert
087194 
+    PREROUTING_direct all ::/0 ::/0
087194 
+    PREROUTING_ZONES_SOURCE all ::/0 ::/0
087194 
+    PREROUTING_ZONES all ::/0 ::/0
087194 
+])
087194 
+IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0,
087194 
+  [[PRE_public all dead:beef::/54 ::/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
087194 
+  [[PRE_trusted all ::/0 ::/0 [goto]
087194 
+    PRE_public all ::/0 ::/0 [goto]
087194 
+    PRE_public all ::/0 ::/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
087194 
+    PREROUTING_direct all ::/0 ::/0
087194 
+    PREROUTING_ZONES_SOURCE all ::/0 ::/0
087194 
+    PREROUTING_ZONES all ::/0 ::/0
087194 
+])
087194 
+IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0,
087194 
+  [[PRE_public all dead:beef::/54 ::/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
087194 
+  [[PRE_trusted all ::/0 ::/0 [goto]
087194 
+    PRE_public all ::/0 ::/0 [goto]
087194 
+    PRE_public all ::/0 ::/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
087194 
+    PREROUTING_direct all ::/0 ::/0
087194 
+    PREROUTING_ZONES_SOURCE all ::/0 ::/0
087194 
+    PREROUTING_ZONES all ::/0 ::/0
087194 
+])
087194 
+IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0,
087194 
+  [[PRE_public all dead:beef::/54 ::/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
087194 
+  [[PRE_trusted all ::/0 ::/0 [goto]
087194 
+    PRE_public all ::/0 ::/0 [goto]
087194 
+    PRE_public all ::/0 ::/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
087194 
+    POSTROUTING_direct all ::/0 ::/0
087194 
+    POSTROUTING_ZONES_SOURCE all ::/0 ::/0
087194 
+    POSTROUTING_ZONES all ::/0 ::/0
087194 
+])
087194 
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
087194 
+  [[POST_public all ::/0 dead:beef::/54 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
087194 
+  [[POST_trusted all ::/0 ::/0 [goto]
087194 
     POST_public all ::/0 ::/0 [goto]
087194 
-    POST_work all ::/0 ::/0 [goto]
087194 
     POST_public all ::/0 ::/0 [goto]
087194 
 ]])
087194
087194 
-FWD_END_TEST
087194 
+FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d'])
087194 
diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
40251c 
index 972457e3126e..bb054bdb0361 100644
087194 
--- a/src/tests/regression/rhbz1734765.at
087194 
+++ b/src/tests/regression/rhbz1734765.at
087194 
@@ -1,9 +1,12 @@
087194 
 FWD_START_TEST([zone sources ordered by name])
087194 
-AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545)
087194 
+AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545 rhbz1772208 rhbz1796055)
087194 
 dnl
087194 
 dnl Users depend on firewalld ordering source-based zone dispatch by zone name.
087194 
 dnl
087194
087194 
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
087194 
+FWD_RELOAD
087194 
+
087194 
 FWD_CHECK([-q --permanent --new-zone=foobar_00])
087194 
 FWD_CHECK([-q --permanent --new-zone=foobar_05])
087194 
 FWD_CHECK([-q --permanent --new-zone=foobar_02])
087194 
@@ -196,4 +199,177 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
087194 
     POST_public all ::/0 ::/0 [goto]
087194 
 ]])
087194
087194 
-FWD_END_TEST
087194 
+dnl ##########################################################################
087194 
+dnl ##########################################################################
087194 
+dnl We also support zone drifting in which source based zones fall through to
087194 
+dnl interface based zones (including default zone). So make sure the zones are
087194 
+dnl sorted by name in this mode.
087194 
+dnl ##########################################################################
087194 
+dnl ##########################################################################
087194 
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf])
087194 
+FWD_RELOAD
087194 
+
087194 
+FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"])
087194 
+FWD_CHECK([-q --zone=public --add-source="20.20.20.20"])
40251c 
+IF_HOST_SUPPORTS_IPV6_RULES([
087194 
+FWD_CHECK([-q --zone=foobar_010 --add-source="1234:5678::10:10:10"])
087194 
+FWD_CHECK([-q --zone=public --add-source="1234:5678::20:20:20"])
087194 
+FWD_CHECK([-q --zone=foobar_012 --add-source ipset:ipsetv6])
087194 
+])
087194 
+FWD_CHECK([-q --zone=foobar_010 --add-interface=foobar2])
087194 
+
087194 
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain filter_INPUT_ZONES_SOURCE {
087194 
+            ip saddr 10.1.1.1 goto filter_IN_foobar_00
087194 
+            ip6 saddr 1234:5678::1:1:1 goto filter_IN_foobar_00
087194 
+            ip saddr 10.1.1.0/24 goto filter_IN_foobar_01
087194 
+            ip6 saddr 1234:5678::1:1:0/112 goto filter_IN_foobar_01
087194 
+            ip saddr 10.10.10.10 goto filter_IN_foobar_010
087194 
+            ip6 saddr 1234:5678::10:10:10 goto filter_IN_foobar_010
087194 
+            ip saddr @ipsetv4 goto filter_IN_foobar_011
087194 
+            ip6 saddr @ipsetv6 goto filter_IN_foobar_012
087194 
+            ip saddr 10.1.0.0/16 goto filter_IN_foobar_02
087194 
+            ip6 saddr 1234:5678::1:0:0/96 goto filter_IN_foobar_02
087194 
+            ip saddr 10.2.2.0/24 goto filter_IN_foobar_03
087194 
+            ip6 saddr 1234:5678::2:2:0/112 goto filter_IN_foobar_03
087194 
+            ip saddr 10.2.0.0/16 goto filter_IN_foobar_04
087194 
+            ip6 saddr 1234:5678::2:0:0/96 goto filter_IN_foobar_04
087194 
+            ip saddr 10.0.0.0/8 goto filter_IN_foobar_05
087194 
+            ip6 saddr 1234:5678::/80 goto filter_IN_foobar_05
087194 
+            ip saddr 20.20.20.20 goto filter_IN_public
087194 
+            ip6 saddr 1234:5678::20:20:20 goto filter_IN_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
087194 
+    table inet firewalld {
087194 
+        chain filter_INPUT_ZONES {
087194 
+            iifname "foobar2" goto filter_IN_foobar_010
087194 
+            iifname "foobar1" goto filter_IN_trusted
087194 
+            iifname "foobar0" goto filter_IN_internal
087194 
+            goto filter_IN_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
087194 
+    table ip firewalld {
087194 
+        chain nat_POSTROUTING_ZONES_SOURCE {
087194 
+            ip daddr 10.1.1.1 goto nat_POST_foobar_00
087194 
+            ip daddr 10.1.1.0/24 goto nat_POST_foobar_01
087194 
+            ip daddr 10.10.10.10 goto nat_POST_foobar_010
087194 
+            ip daddr @ipsetv4 goto nat_POST_foobar_011
087194 
+            ip daddr 10.1.0.0/16 goto nat_POST_foobar_02
087194 
+            ip daddr 10.2.2.0/24 goto nat_POST_foobar_03
087194 
+            ip daddr 10.2.0.0/16 goto nat_POST_foobar_04
087194 
+            ip daddr 10.0.0.0/8 goto nat_POST_foobar_05
087194 
+            ip daddr 20.20.20.20 goto nat_POST_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
087194 
+    table ip firewalld {
087194 
+        chain nat_POSTROUTING_ZONES {
087194 
+            oifname "foobar2" goto nat_POST_foobar_010
087194 
+            oifname "foobar1" goto nat_POST_trusted
087194 
+            oifname "foobar0" goto nat_POST_internal
087194 
+            goto nat_POST_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
087194 
+    table ip6 firewalld {
087194 
+        chain nat_POSTROUTING_ZONES_SOURCE {
087194 
+            ip6 daddr 1234:5678::1:1:1 goto nat_POST_foobar_00
087194 
+            ip6 daddr 1234:5678::1:1:0/112 goto nat_POST_foobar_01
087194 
+            ip6 daddr 1234:5678::10:10:10 goto nat_POST_foobar_010
087194 
+            ip6 daddr @ipsetv6 goto nat_POST_foobar_012
087194 
+            ip6 daddr 1234:5678::1:0:0/96 goto nat_POST_foobar_02
087194 
+            ip6 daddr 1234:5678::2:2:0/112 goto nat_POST_foobar_03
087194 
+            ip6 daddr 1234:5678::2:0:0/96 goto nat_POST_foobar_04
087194 
+            ip6 daddr 1234:5678::/80 goto nat_POST_foobar_05
087194 
+            ip6 daddr 1234:5678::20:20:20 goto nat_POST_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
087194 
+    table ip6 firewalld {
087194 
+        chain nat_POSTROUTING_ZONES {
087194 
+            oifname "foobar2" goto nat_POST_foobar_010
087194 
+            oifname "foobar1" goto nat_POST_trusted
087194 
+            oifname "foobar0" goto nat_POST_internal
087194 
+            goto nat_POST_public
087194 
+        }
087194 
+    }
087194 
+])
087194 
+
087194 
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
087194 
+  [[IN_foobar_00 all -- 10.1.1.1 0.0.0.0/0 [goto]
087194 
+    IN_foobar_01 all -- 10.1.1.0/24 0.0.0.0/0 [goto]
087194 
+    IN_foobar_010 all -- 10.10.10.10 0.0.0.0/0 [goto]
087194 
+    IN_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 src
087194 
+    IN_foobar_02 all -- 10.1.0.0/16 0.0.0.0/0 [goto]
087194 
+    IN_foobar_03 all -- 10.2.2.0/24 0.0.0.0/0 [goto]
087194 
+    IN_foobar_04 all -- 10.2.0.0/16 0.0.0.0/0 [goto]
087194 
+    IN_foobar_05 all -- 10.0.0.0/8 0.0.0.0/0 [goto]
087194 
+    IN_public all -- 20.20.20.20 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
087194 
+  [[IN_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    IN_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
087194 
+  [[IN_foobar_00 all 1234:5678::1:1:1 ::/0 [goto]
087194 
+    IN_foobar_01 all 1234:5678::1:1:0/112 ::/0 [goto]
087194 
+    IN_foobar_010 all 1234:5678::10:10:10 ::/0 [goto]
087194 
+    IN_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 src
087194 
+    IN_foobar_02 all 1234:5678::1:0:0/96 ::/0 [goto]
087194 
+    IN_foobar_03 all 1234:5678::2:2:0/112 ::/0 [goto]
087194 
+    IN_foobar_04 all 1234:5678::2:0:0/96 ::/0 [goto]
087194 
+    IN_foobar_05 all 1234:5678::/80 ::/0 [goto]
087194 
+    IN_public all 1234:5678::20:20:20 ::/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
087194 
+  [[IN_foobar_010 all ::/0 ::/0 [goto]
087194 
+    IN_trusted all ::/0 ::/0 [goto]
087194 
+    IN_internal all ::/0 ::/0 [goto]
087194 
+    IN_public all ::/0 ::/0 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
087194 
+  [[POST_foobar_00 all -- 0.0.0.0/0 10.1.1.1 [goto]
087194 
+    POST_foobar_01 all -- 0.0.0.0/0 10.1.1.0/24 [goto]
087194 
+    POST_foobar_010 all -- 0.0.0.0/0 10.10.10.10 [goto]
087194 
+    POST_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 dst
087194 
+    POST_foobar_02 all -- 0.0.0.0/0 10.1.0.0/16 [goto]
087194 
+    POST_foobar_03 all -- 0.0.0.0/0 10.2.2.0/24 [goto]
087194 
+    POST_foobar_04 all -- 0.0.0.0/0 10.2.0.0/16 [goto]
087194 
+    POST_foobar_05 all -- 0.0.0.0/0 10.0.0.0/8 [goto]
087194 
+    POST_public all -- 0.0.0.0/0 20.20.20.20 [goto]
087194 
+]])
087194 
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
087194 
+  [[POST_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    POST_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+    POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
087194 
+  [[POST_foobar_00 all ::/0 1234:5678::1:1:1 [goto]
087194 
+    POST_foobar_01 all ::/0 1234:5678::1:1:0/112 [goto]
087194 
+    POST_foobar_010 all ::/0 1234:5678::10:10:10 [goto]
087194 
+    POST_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 dst
087194 
+    POST_foobar_02 all ::/0 1234:5678::1:0:0/96 [goto]
087194 
+    POST_foobar_03 all ::/0 1234:5678::2:2:0/112 [goto]
087194 
+    POST_foobar_04 all ::/0 1234:5678::2:0:0/96 [goto]
087194 
+    POST_foobar_05 all ::/0 1234:5678::/80 [goto]
087194 
+    POST_public all ::/0 1234:5678::20:20:20 [goto]
087194 
+]])
087194 
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
087194 
+  [[POST_foobar_010 all ::/0 ::/0 [goto]
087194 
+    POST_trusted all ::/0 ::/0 [goto]
087194 
+    POST_internal all ::/0 ::/0 [goto]
087194 
+    POST_public all ::/0 ::/0 [goto]
087194 
+]])
087194 
+
087194 
+FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d'])
087194 
--
087194 
2.23.0
087194

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation