From 959584ced5e1c1853b62ff5e15c3e9fa49837ea4 Mon Sep 17 00:00:00 2001

From: Eric Garver <eric@garver.life>

Date: Thu, 30 May 2019 16:16:51 -0400

Subject: [PATCH 60/73] test: add coverage for #258 and #441

(cherry picked from commit 0c49548a4954a0c5f2a982fd3a46b135afa74965)

(cherry picked from commit 87235daf6290eba20c38178edca6c9bd7475caf3)

---

 src/tests/regression.at       |   1 +

 src/tests/regression/gh258.at | 441 ++++++++++++++++++++++++++++++++++

 2 files changed, 442 insertions(+)

 create mode 100644 src/tests/regression/gh258.at

diff --git a/src/tests/regression.at b/src/tests/regression.at

index 8bcb576238e6..00690fc6459e 100644

--- a/src/tests/regression.at

+++ b/src/tests/regression.at

@@ -19,3 +19,4 @@ m4_include([regression/gh335.at])

 m4_include([regression/gh482.at])

 m4_include([regression/gh478.at])

 m4_include([regression/gh453.at])

+m4_include([regression/gh258.at])

diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at

new file mode 100644

index 000000000000..d0c4f2fa7432

--- /dev/null

+++ b/src/tests/regression/gh258.at

@@ -0,0 +1,441 @@

+FWD_START_TEST([zone dispatch layout])

+AT_KEYWORDS(zone gh258 gh441)

+

+FWD_CHECK([--zone=work --add-source="1.2.3.0/24"], 0, ignore)

+IF_IPV6_SUPPORTED([

+FWD_CHECK([--zone=public --add-source="dead:beef::/54"], 0, ignore)

+])

+FWD_CHECK([--zone=work --add-interface=dummy0], 0, ignore)

+FWD_CHECK([--zone=public --add-interface=dummy1], 0, ignore)

+

+dnl verify layout of zone dispatch

+m4_if(nftables, FIREWALL_BACKEND, [

+NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl

+    table inet firewalld {

+        chain filter_INPUT {

+            ct state established,related accept

+            iifname "lo" accept

+            jump filter_INPUT_ZONES

+            ct state invalid drop

+            reject with icmpx type admin-prohibited

+        }

+    }

+])

+NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl

+    table inet firewalld {

+        chain filter_INPUT_ZONES {

+            ip6 saddr dead:beef::/54 goto filter_IN_public

+            ip saddr 1.2.3.0/24 goto filter_IN_work

+            goto filter_INPUT_ZONES_IFACES

+        }

+    }

+])

+NFT_LIST_RULES([inet], [filter_INPUT_ZONES_IFACES], 0, [dnl

+    table inet firewalld {

+        chain filter_INPUT_ZONES_IFACES {

+            iifname "dummy1" goto filter_IN_public

+            iifname "dummy0" goto filter_IN_work

+            goto filter_IN_public

+        }

+    }

+])

+NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl

+    table inet firewalld {

+        chain filter_FORWARD {

+            ct state established,related accept

+            iifname "lo" accept

+            jump filter_FORWARD_IN_ZONES

+            jump filter_FORWARD_OUT_ZONES

+            ct state invalid drop

+            reject with icmpx type admin-prohibited

+        }

+    }

+])

+NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl

+    table inet firewalld {

+        chain filter_FORWARD_IN_ZONES {

+            ip6 saddr dead:beef::/54 goto filter_FWDI_public

+            ip saddr 1.2.3.0/24 goto filter_FWDI_work

+            goto filter_FORWARD_IN_ZONES_IFACES

+        }

+    }

+])

+NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_IFACES], 0, [dnl

+    table inet firewalld {

+        chain filter_FORWARD_IN_ZONES_IFACES {

+            iifname "dummy1" goto filter_FWDI_public

+            iifname "dummy0" goto filter_FWDI_work

+            goto filter_FWDI_public

+        }

+    }

+])

+NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl

+    table inet firewalld {

+        chain filter_FORWARD_OUT_ZONES {

+            ip6 daddr dead:beef::/54 goto filter_FWDO_public

+            ip daddr 1.2.3.0/24 goto filter_FWDO_work

+            goto filter_FORWARD_OUT_ZONES_IFACES

+        }

+    }

+])

+NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_IFACES], 0, [dnl

+    table inet firewalld {

+        chain filter_FORWARD_OUT_ZONES_IFACES {

+            oifname "dummy1" goto filter_FWDO_public

+            oifname "dummy0" goto filter_FWDO_work

+            goto filter_FWDO_public

+        }

+    }

+])

+NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl

+    table inet firewalld {

+        chain raw_PREROUTING {

+            m4_if(yes, HOST_SUPPORTS_NFT_FIB, [dnl

+            icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept

+            meta nfproto ipv6 fib saddr . iif oif missing drop

+            ])dnl

+            jump raw_PREROUTING_ZONES

+        }

+    }

+])

+NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl

+    table inet firewalld {

+        chain raw_PREROUTING_ZONES {

+            ip6 saddr dead:beef::/54 goto raw_PRE_public

+            ip saddr 1.2.3.0/24 goto raw_PRE_work

+            goto raw_PREROUTING_ZONES_IFACES

+        }

+    }

+])

+NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_IFACES], 0, [dnl

+    table inet firewalld {

+        chain raw_PREROUTING_ZONES_IFACES {

+            iifname "dummy1" goto raw_PRE_public

+            iifname "dummy0" goto raw_PRE_work

+            goto raw_PRE_public

+        }

+    }

+])

+NFT_LIST_RULES([inet], [mangle_PREROUTING], 0, [dnl

+    table inet firewalld {

+        chain mangle_PREROUTING {

+            jump mangle_PREROUTING_ZONES

+        }

+    }

+])

+NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl

+    table inet firewalld {

+        chain mangle_PREROUTING_ZONES {

+            ip6 saddr dead:beef::/54 goto mangle_PRE_public

+            ip saddr 1.2.3.0/24 goto mangle_PRE_work

+            goto mangle_PREROUTING_ZONES_IFACES

+        }

+    }

+])

+NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_IFACES], 0, [dnl

+    table inet firewalld {

+        chain mangle_PREROUTING_ZONES_IFACES {

+            iifname "dummy1" goto mangle_PRE_public

+            iifname "dummy0" goto mangle_PRE_work

+            goto mangle_PRE_public

+        }

+    }

+])

+NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl

+    table ip firewalld {

+        chain nat_PREROUTING {

+            jump nat_PREROUTING_ZONES

+        }

+    }

+])

+NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl

+    table ip firewalld {

+        chain nat_PREROUTING_ZONES {

+            ip saddr 1.2.3.0/24 goto nat_PRE_work

+            goto nat_PREROUTING_ZONES_IFACES

+        }

+    }

+])

+NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_IFACES], 0, [dnl

+    table ip firewalld {

+        chain nat_PREROUTING_ZONES_IFACES {

+            iifname "dummy1" goto nat_PRE_public

+            iifname "dummy0" goto nat_PRE_work

+            goto nat_PRE_public

+        }

+    }

+])

+NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl

+    table ip firewalld {

+        chain nat_POSTROUTING {

+            jump nat_POSTROUTING_ZONES

+        }

+    }

+])

+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl

+    table ip firewalld {

+        chain nat_POSTROUTING_ZONES {

+            ip daddr 1.2.3.0/24 goto nat_POST_work

+            goto nat_POSTROUTING_ZONES_IFACES

+        }

+    }

+])

+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl

+    table ip firewalld {

+        chain nat_POSTROUTING_ZONES_IFACES {

+            oifname "dummy1" goto nat_POST_public

+            oifname "dummy0" goto nat_POST_work

+            goto nat_POST_public

+        }

+    }

+])

+NFT_LIST_RULES([ip6], [nat_PREROUTING], 0, [dnl

+    table ip6 firewalld {

+        chain nat_PREROUTING {

+            jump nat_PREROUTING_ZONES

+        }

+    }

+])

+NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl

+    table ip6 firewalld {

+        chain nat_PREROUTING_ZONES {

+            ip6 saddr dead:beef::/54 goto nat_PRE_public

+            goto nat_PREROUTING_ZONES_IFACES

+        }

+    }

+])

+NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_IFACES], 0, [dnl

+    table ip6 firewalld {

+        chain nat_PREROUTING_ZONES_IFACES {

+            iifname "dummy1" goto nat_PRE_public

+            iifname "dummy0" goto nat_PRE_work

+            goto nat_PRE_public

+        }

+    }

+])

+NFT_LIST_RULES([ip6], [nat_POSTROUTING], 0, [dnl

+    table ip6 firewalld {

+        chain nat_POSTROUTING {

+            jump nat_POSTROUTING_ZONES

+        }

+    }

+])

+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl

+    table ip6 firewalld {

+        chain nat_POSTROUTING_ZONES {

+            ip6 daddr dead:beef::/54 goto nat_POST_public

+            goto nat_POSTROUTING_ZONES_IFACES

+        }

+    }

+])

+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl

+    table ip firewalld {

+        chain nat_POSTROUTING_ZONES_IFACES {

+            oifname "dummy1" goto nat_POST_public

+            oifname "dummy0" goto nat_POST_work

+            goto nat_POST_public

+        }

+    }

+])

+], [

+

+IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl

+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

+    INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0

+    INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0

+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID

+    REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

+])

+IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [dnl

+    IN_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@

+    INPUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+IPTABLES_LIST_RULES([filter], [INPUT_ZONES_IFACES], 0, [dnl

+    IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    IN_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl

+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

+    FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0

+    FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0

+    FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0

+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID

+    REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

+])

+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [dnl

+    FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@

+    FORWARD_IN_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_IFACES], 0, [dnl

+    FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [dnl

+    FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@

+    FORWARD_OUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_IFACES], 0, [dnl

+    FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl

+    PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0

+    PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0

+])

+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [dnl

+    PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@

+    PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_IFACES], 0, [dnl

+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl

+    PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0

+    PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0

+])

+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [dnl

+    PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@

+    PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_IFACES], 0, [dnl

+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl

+    PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0

+    PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0

+])

+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [dnl

+    PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@

+    PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_IFACES], 0, [dnl

+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl

+    POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0

+    POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0

+])

+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [dnl

+    POST_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@

+    POSTROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_IFACES], 0, [dnl

+    POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    POST_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+    POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@

+])

+

+

+IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl

+    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED

+    ACCEPT all ::/0 ::/0

+    INPUT_direct all ::/0 ::/0

+    INPUT_ZONES all ::/0 ::/0

+    DROP all ::/0 ::/0 ctstate INVALID

+    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited

+])

+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [dnl

+    IN_public all dead:beef::/54 ::/0 @<:@goto@:>@

+    INPUT_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@

+])

+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_IFACES], 0, [dnl

+    IN_public all ::/0 ::/0 @<:@goto@:>@

+    IN_work all ::/0 ::/0 @<:@goto@:>@

+    IN_public all ::/0 ::/0 @<:@goto@:>@

+])

+IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl

+    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED

+    ACCEPT all ::/0 ::/0

+    FORWARD_direct all ::/0 ::/0

+    FORWARD_IN_ZONES all ::/0 ::/0

+    FORWARD_OUT_ZONES all ::/0 ::/0

+    DROP all ::/0 ::/0 ctstate INVALID

+    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited

+])

+IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [dnl

+    FWDI_public all dead:beef::/54 ::/0 @<:@goto@:>@

+    FORWARD_IN_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@

+])

+IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_IFACES], 0, [dnl

+    FWDI_public all ::/0 ::/0 @<:@goto@:>@

+    FWDI_work all ::/0 ::/0 @<:@goto@:>@

+    FWDI_public all ::/0 ::/0 @<:@goto@:>@

+])

+IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [dnl

+    FWDO_public all ::/0 dead:beef::/54 @<:@goto@:>@

+    FORWARD_OUT_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@

+])

+IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_IFACES], 0, [dnl

+    FWDO_public all ::/0 ::/0 @<:@goto@:>@

+    FWDO_work all ::/0 ::/0 @<:@goto@:>@

+    FWDO_public all ::/0 ::/0 @<:@goto@:>@

+])

+IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl

+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134

+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135

+    DROP all ::/0 ::/0 rpfilter invert

+    PREROUTING_direct all ::/0 ::/0

+    PREROUTING_ZONES all ::/0 ::/0

+])

+IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [dnl

+    PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@

+    PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@

+])

+IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES_IFACES], 0, [dnl

+    PRE_public all ::/0 ::/0 @<:@goto@:>@

+    PRE_work all ::/0 ::/0 @<:@goto@:>@

+    PRE_public all ::/0 ::/0 @<:@goto@:>@

+])

+IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl

+    PREROUTING_direct all ::/0 ::/0

+    PREROUTING_ZONES all ::/0 ::/0

+])

+IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [dnl

+    PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@

+    PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@

+])

+IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES_IFACES], 0, [dnl

+    PRE_public all ::/0 ::/0 @<:@goto@:>@

+    PRE_work all ::/0 ::/0 @<:@goto@:>@

+    PRE_public all ::/0 ::/0 @<:@goto@:>@

+])

+IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl

+    PREROUTING_direct all ::/0 ::/0

+    PREROUTING_ZONES all ::/0 ::/0

+])

+IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [dnl

+    PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@

+    PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@

+])

+IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES_IFACES], 0, [dnl

+    PRE_public all ::/0 ::/0 @<:@goto@:>@

+    PRE_work all ::/0 ::/0 @<:@goto@:>@

+    PRE_public all ::/0 ::/0 @<:@goto@:>@

+])

+IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl

+    POSTROUTING_direct all ::/0 ::/0

+    POSTROUTING_ZONES all ::/0 ::/0

+])

+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [dnl

+    POST_public all ::/0 dead:beef::/54 @<:@goto@:>@

+    POSTROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@

+])

+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_IFACES], 0, [dnl

+    POST_public all ::/0 ::/0 @<:@goto@:>@

+    POST_work all ::/0 ::/0 @<:@goto@:>@

+    POST_public all ::/0 ::/0 @<:@goto@:>@

+])

+])

+

+FWD_END_TEST

-- 

2.20.1