Blame SOURCES/0142-test-verify-AllowZoneDrifting-yes.patch

ea8ea4
From e5bc451f0f0240c7fe460196e6d07163366318c2 Mon Sep 17 00:00:00 2001
4f7c03
From: Eric Garver <eric@garver.life>
4f7c03
Date: Sun, 19 Jan 2020 16:49:14 -0500
ea8ea4
Subject: [PATCH 142/146] test: verify AllowZoneDrifting=yes
4f7c03
4f7c03
Verify the zone dispatch layout.
4f7c03
4f7c03
(cherry picked from commit bca4e6af91fc4c6a55f7c2bce9e4fe7bcee526a1)
4f7c03
(cherry picked from commit cd257ae4604b1666136ffb1e12924a5c1f74095f)
4f7c03
---
4f7c03
 src/tests/regression/gh258.at       | 532 +++++++++++++++++++++++++---
4f7c03
 src/tests/regression/rhbz1734765.at | 181 +++++++++-
4f7c03
 2 files changed, 668 insertions(+), 45 deletions(-)
4f7c03
4f7c03
diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
4f7c03
index 5671c37ba432..5c5c8db0126f 100644
4f7c03
--- a/src/tests/regression/gh258.at
4f7c03
+++ b/src/tests/regression/gh258.at
4f7c03
@@ -1,12 +1,15 @@
4f7c03
 FWD_START_TEST([zone dispatch layout])
4f7c03
-AT_KEYWORDS(zone gh258 gh441 rhbz1713823)
4f7c03
+AT_KEYWORDS(zone gh258 gh441 rhbz1713823 rhbz1772208 rhbz1796055)
4f7c03
 
4f7c03
-FWD_CHECK([--zone=work --add-source="1.2.3.0/24"], 0, ignore)
4f7c03
+FWD_CHECK([--permanent --zone=trusted --add-source="1.2.3.0/24"], 0, ignore)
4f7c03
 IF_HOST_SUPPORTS_IPV6_RULES([
4f7c03
-FWD_CHECK([--zone=public --add-source="dead:beef::/54"], 0, ignore)
4f7c03
+FWD_CHECK([--permanent --zone=public --add-source="dead:beef::/54"], 0, ignore)
4f7c03
 ])
4f7c03
-FWD_CHECK([--zone=work --add-interface=dummy0], 0, ignore)
4f7c03
-FWD_CHECK([--zone=public --add-interface=dummy1], 0, ignore)
4f7c03
+FWD_CHECK([--permanent --zone=trusted --add-interface=dummy0], 0, ignore)
4f7c03
+FWD_CHECK([--permanent --zone=public --add-interface=dummy1], 0, ignore)
4f7c03
+
4f7c03
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
4f7c03
+FWD_RELOAD
4f7c03
 
4f7c03
 dnl verify layout of zone dispatch
4f7c03
 m4_if(nftables, FIREWALL_BACKEND, [
4f7c03
@@ -25,9 +28,9 @@ NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
4f7c03
     table inet firewalld {
4f7c03
         chain filter_INPUT_ZONES {
4f7c03
             ip6 saddr dead:beef::/54 goto filter_IN_public
4f7c03
-            ip saddr 1.2.3.0/24 goto filter_IN_work
4f7c03
+            ip saddr 1.2.3.0/24 goto filter_IN_trusted
4f7c03
+            iifname "dummy0" goto filter_IN_trusted
4f7c03
             iifname "dummy1" goto filter_IN_public
4f7c03
-            iifname "dummy0" goto filter_IN_work
4f7c03
             goto filter_IN_public
4f7c03
         }
4f7c03
     }
4f7c03
@@ -48,9 +51,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl
4f7c03
     table inet firewalld {
4f7c03
         chain filter_FORWARD_IN_ZONES {
4f7c03
             ip6 saddr dead:beef::/54 goto filter_FWDI_public
4f7c03
-            ip saddr 1.2.3.0/24 goto filter_FWDI_work
4f7c03
+            ip saddr 1.2.3.0/24 goto filter_FWDI_trusted
4f7c03
+            iifname "dummy0" goto filter_FWDI_trusted
4f7c03
             iifname "dummy1" goto filter_FWDI_public
4f7c03
-            iifname "dummy0" goto filter_FWDI_work
4f7c03
             goto filter_FWDI_public
4f7c03
         }
4f7c03
     }
4f7c03
@@ -59,9 +62,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl
4f7c03
     table inet firewalld {
4f7c03
         chain filter_FORWARD_OUT_ZONES {
4f7c03
             ip6 daddr dead:beef::/54 goto filter_FWDO_public
4f7c03
-            ip daddr 1.2.3.0/24 goto filter_FWDO_work
4f7c03
+            ip daddr 1.2.3.0/24 goto filter_FWDO_trusted
4f7c03
+            oifname "dummy0" goto filter_FWDO_trusted
4f7c03
             oifname "dummy1" goto filter_FWDO_public
4f7c03
-            oifname "dummy0" goto filter_FWDO_work
4f7c03
             goto filter_FWDO_public
4f7c03
         }
4f7c03
     }
4f7c03
@@ -89,9 +92,9 @@ NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
4f7c03
     table inet firewalld {
4f7c03
         chain raw_PREROUTING_ZONES {
4f7c03
             ip6 saddr dead:beef::/54 goto raw_PRE_public
4f7c03
-            ip saddr 1.2.3.0/24 goto raw_PRE_work
4f7c03
+            ip saddr 1.2.3.0/24 goto raw_PRE_trusted
4f7c03
+            iifname "dummy0" goto raw_PRE_trusted
4f7c03
             iifname "dummy1" goto raw_PRE_public
4f7c03
-            iifname "dummy0" goto raw_PRE_work
4f7c03
             goto raw_PRE_public
4f7c03
         }
4f7c03
     }
4f7c03
@@ -107,9 +110,9 @@ NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl
4f7c03
     table inet firewalld {
4f7c03
         chain mangle_PREROUTING_ZONES {
4f7c03
             ip6 saddr dead:beef::/54 goto mangle_PRE_public
4f7c03
-            ip saddr 1.2.3.0/24 goto mangle_PRE_work
4f7c03
+            ip saddr 1.2.3.0/24 goto mangle_PRE_trusted
4f7c03
+            iifname "dummy0" goto mangle_PRE_trusted
4f7c03
             iifname "dummy1" goto mangle_PRE_public
4f7c03
-            iifname "dummy0" goto mangle_PRE_work
4f7c03
             goto mangle_PRE_public
4f7c03
         }
4f7c03
     }
4f7c03
@@ -124,9 +127,9 @@ NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl
4f7c03
 NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl
4f7c03
     table ip firewalld {
4f7c03
         chain nat_PREROUTING_ZONES {
4f7c03
-            ip saddr 1.2.3.0/24 goto nat_PRE_work
4f7c03
+            ip saddr 1.2.3.0/24 goto nat_PRE_trusted
4f7c03
+            iifname "dummy0" goto nat_PRE_trusted
4f7c03
             iifname "dummy1" goto nat_PRE_public
4f7c03
-            iifname "dummy0" goto nat_PRE_work
4f7c03
             goto nat_PRE_public
4f7c03
         }
4f7c03
     }
4f7c03
@@ -141,9 +144,9 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl
4f7c03
 NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
4f7c03
     table ip firewalld {
4f7c03
         chain nat_POSTROUTING_ZONES {
4f7c03
-            ip daddr 1.2.3.0/24 goto nat_POST_work
4f7c03
+            ip daddr 1.2.3.0/24 goto nat_POST_trusted
4f7c03
+            oifname "dummy0" goto nat_POST_trusted
4f7c03
             oifname "dummy1" goto nat_POST_public
4f7c03
-            oifname "dummy0" goto nat_POST_work
4f7c03
             goto nat_POST_public
4f7c03
         }
4f7c03
     }
4f7c03
@@ -159,8 +162,8 @@ NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl
4f7c03
     table ip6 firewalld {
4f7c03
         chain nat_PREROUTING_ZONES {
4f7c03
             ip6 saddr dead:beef::/54 goto nat_PRE_public
4f7c03
+            iifname "dummy0" goto nat_PRE_trusted
4f7c03
             iifname "dummy1" goto nat_PRE_public
4f7c03
-            iifname "dummy0" goto nat_PRE_work
4f7c03
             goto nat_PRE_public
4f7c03
         }
4f7c03
     }
4f7c03
@@ -176,8 +179,8 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
4f7c03
     table ip6 firewalld {
4f7c03
         chain nat_POSTROUTING_ZONES {
4f7c03
             ip6 daddr dead:beef::/54 goto nat_POST_public
4f7c03
+            oifname "dummy0" goto nat_POST_trusted
4f7c03
             oifname "dummy1" goto nat_POST_public
4f7c03
-            oifname "dummy0" goto nat_POST_work
4f7c03
             goto nat_POST_public
4f7c03
         }
4f7c03
     }
4f7c03
@@ -193,9 +196,9 @@ IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
4f7c03
     REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
4f7c03
 ])
4f7c03
 IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
4f7c03
-  [[IN_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+  [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+    IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
-    IN_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
 ]])
4f7c03
 IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
4f7c03
@@ -208,15 +211,15 @@ IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
4f7c03
     REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
4f7c03
 ])
4f7c03
 IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
4f7c03
-  [[FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+  [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+    FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
-    FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
 ]])
4f7c03
 IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
4f7c03
-  [[FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 [goto]
4f7c03
+  [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
4f7c03
+    FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
-    FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
 ]])
4f7c03
 IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
4f7c03
@@ -224,9 +227,9 @@ IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
4f7c03
     PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
 ])
4f7c03
 IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
4f7c03
-  [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+  [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+    PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
-    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
 ]])
4f7c03
 IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
4f7c03
@@ -234,9 +237,9 @@ IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
4f7c03
     PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
 ])
4f7c03
 IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
4f7c03
-  [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+  [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+    PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
-    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
 ]])
4f7c03
 IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
4f7c03
@@ -244,9 +247,9 @@ IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
4f7c03
     PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
 ])
4f7c03
 IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
4f7c03
-  [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+  [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+    PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
-    PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
 ]])
4f7c03
 IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
4f7c03
@@ -254,9 +257,9 @@ IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
4f7c03
     POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
 ])
4f7c03
 IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
4f7c03
-  [[POST_work all -- 0.0.0.0/0 1.2.3.0/24 [goto]
4f7c03
+  [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
4f7c03
+    POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
-    POST_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
     POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
 ]])
4f7c03
 
4f7c03
@@ -270,8 +273,8 @@ IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
4f7c03
 ])
4f7c03
 IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
4f7c03
   [[IN_public all dead:beef::/54 ::/0 [goto]
4f7c03
+    IN_trusted all ::/0 ::/0 [goto]
4f7c03
     IN_public all ::/0 ::/0 [goto]
4f7c03
-    IN_work all ::/0 ::/0 [goto]
4f7c03
     IN_public all ::/0 ::/0 [goto]
4f7c03
 ]])
4f7c03
 IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
4f7c03
@@ -285,14 +288,14 @@ IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
4f7c03
 ])
4f7c03
 IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
4f7c03
   [[FWDI_public all dead:beef::/54 ::/0 [goto]
4f7c03
+    FWDI_trusted all ::/0 ::/0 [goto]
4f7c03
     FWDI_public all ::/0 ::/0 [goto]
4f7c03
-    FWDI_work all ::/0 ::/0 [goto]
4f7c03
     FWDI_public all ::/0 ::/0 [goto]
4f7c03
 ]])
4f7c03
 IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
4f7c03
   [[FWDO_public all ::/0 dead:beef::/54 [goto]
4f7c03
+    FWDO_trusted all ::/0 ::/0 [goto]
4f7c03
     FWDO_public all ::/0 ::/0 [goto]
4f7c03
-    FWDO_work all ::/0 ::/0 [goto]
4f7c03
     FWDO_public all ::/0 ::/0 [goto]
4f7c03
 ]])
4f7c03
 IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
4f7c03
@@ -304,8 +307,8 @@ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
4f7c03
 ])
4f7c03
 IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
4f7c03
   [[PRE_public all dead:beef::/54 ::/0 [goto]
4f7c03
+    PRE_trusted all ::/0 ::/0 [goto]
4f7c03
     PRE_public all ::/0 ::/0 [goto]
4f7c03
-    PRE_work all ::/0 ::/0 [goto]
4f7c03
     PRE_public all ::/0 ::/0 [goto]
4f7c03
 ]])
4f7c03
 IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
4f7c03
@@ -314,8 +317,8 @@ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
4f7c03
 ])
4f7c03
 IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
4f7c03
   [[PRE_public all dead:beef::/54 ::/0 [goto]
4f7c03
+    PRE_trusted all ::/0 ::/0 [goto]
4f7c03
     PRE_public all ::/0 ::/0 [goto]
4f7c03
-    PRE_work all ::/0 ::/0 [goto]
4f7c03
     PRE_public all ::/0 ::/0 [goto]
4f7c03
 ]])
4f7c03
 IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
4f7c03
@@ -324,8 +327,8 @@ IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
4f7c03
 ])
4f7c03
 IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
4f7c03
   [[PRE_public all dead:beef::/54 ::/0 [goto]
4f7c03
+    PRE_trusted all ::/0 ::/0 [goto]
4f7c03
     PRE_public all ::/0 ::/0 [goto]
4f7c03
-    PRE_work all ::/0 ::/0 [goto]
4f7c03
     PRE_public all ::/0 ::/0 [goto]
4f7c03
 ]])
4f7c03
 IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
4f7c03
@@ -334,10 +337,453 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
4f7c03
 ])
4f7c03
 IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
4f7c03
   [[POST_public all ::/0 dead:beef::/54 [goto]
4f7c03
+    POST_trusted all ::/0 ::/0 [goto]
4f7c03
     POST_public all ::/0 ::/0 [goto]
4f7c03
-    POST_work all ::/0 ::/0 [goto]
4f7c03
     POST_public all ::/0 ::/0 [goto]
4f7c03
 ]])
4f7c03
 ])
4f7c03
 
4f7c03
-FWD_END_TEST
4f7c03
+dnl ##########################################################################
4f7c03
+dnl ##########################################################################
4f7c03
+dnl We also support zone drifting in which source based zones fall through to
4f7c03
+dnl interface based zones (including default zone).
4f7c03
+dnl ##########################################################################
4f7c03
+dnl ##########################################################################
4f7c03
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf])
4f7c03
+FWD_RELOAD
4f7c03
+
4f7c03
+NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain filter_INPUT {
4f7c03
+            ct state established,related accept
4f7c03
+            iifname "lo" accept
4f7c03
+            jump filter_INPUT_ZONES_SOURCE
4f7c03
+            jump filter_INPUT_ZONES
4f7c03
+            ct state invalid drop
4f7c03
+            reject with icmpx type admin-prohibited
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain filter_INPUT_ZONES_SOURCE {
4f7c03
+            ip6 saddr dead:beef::/54 goto filter_IN_public
4f7c03
+            ip saddr 1.2.3.0/24 goto filter_IN_trusted
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain filter_INPUT_ZONES {
4f7c03
+            iifname "dummy0" goto filter_IN_trusted
4f7c03
+            iifname "dummy1" goto filter_IN_public
4f7c03
+            goto filter_IN_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain filter_FORWARD {
4f7c03
+            ct state established,related accept
4f7c03
+            iifname "lo" accept
4f7c03
+            jump filter_FORWARD_IN_ZONES_SOURCE
4f7c03
+            jump filter_FORWARD_IN_ZONES
4f7c03
+            jump filter_FORWARD_OUT_ZONES_SOURCE
4f7c03
+            jump filter_FORWARD_OUT_ZONES
4f7c03
+            ct state invalid drop
4f7c03
+            reject with icmpx type admin-prohibited
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_SOURCE], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain filter_FORWARD_IN_ZONES_SOURCE {
4f7c03
+            ip6 saddr dead:beef::/54 goto filter_FWDI_public
4f7c03
+            ip saddr 1.2.3.0/24 goto filter_FWDI_trusted
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain filter_FORWARD_IN_ZONES {
4f7c03
+            iifname "dummy0" goto filter_FWDI_trusted
4f7c03
+            iifname "dummy1" goto filter_FWDI_public
4f7c03
+            goto filter_FWDI_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_SOURCE], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain filter_FORWARD_OUT_ZONES_SOURCE {
4f7c03
+            ip6 daddr dead:beef::/54 goto filter_FWDO_public
4f7c03
+            ip daddr 1.2.3.0/24 goto filter_FWDO_trusted
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain filter_FORWARD_OUT_ZONES {
4f7c03
+            oifname "dummy0" goto filter_FWDO_trusted
4f7c03
+            oifname "dummy1" goto filter_FWDO_public
4f7c03
+            goto filter_FWDO_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+IF_HOST_SUPPORTS_NFT_FIB([
4f7c03
+    NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
4f7c03
+        table inet firewalld {
4f7c03
+            chain raw_PREROUTING {
4f7c03
+                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
4f7c03
+                meta nfproto ipv6 fib saddr . iif oif missing drop
4f7c03
+                jump raw_PREROUTING_ZONES_SOURCE
4f7c03
+                jump raw_PREROUTING_ZONES
4f7c03
+            }
4f7c03
+        }
4f7c03
+    ])
4f7c03
+], [
4f7c03
+    NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
4f7c03
+        table inet firewalld {
4f7c03
+            chain raw_PREROUTING {
4f7c03
+                jump raw_PREROUTING_ZONES_SOURCE
4f7c03
+                jump raw_PREROUTING_ZONES
4f7c03
+            }
4f7c03
+        }
4f7c03
+    ])
4f7c03
+])
4f7c03
+NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_SOURCE], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain raw_PREROUTING_ZONES_SOURCE {
4f7c03
+            ip6 saddr dead:beef::/54 goto raw_PRE_public
4f7c03
+            ip saddr 1.2.3.0/24 goto raw_PRE_trusted
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain raw_PREROUTING_ZONES {
4f7c03
+            iifname "dummy0" goto raw_PRE_trusted
4f7c03
+            iifname "dummy1" goto raw_PRE_public
4f7c03
+            goto raw_PRE_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([inet], [mangle_PREROUTING], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain mangle_PREROUTING {
4f7c03
+            jump mangle_PREROUTING_ZONES_SOURCE
4f7c03
+            jump mangle_PREROUTING_ZONES
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_SOURCE], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain mangle_PREROUTING_ZONES_SOURCE {
4f7c03
+            ip6 saddr dead:beef::/54 goto mangle_PRE_public
4f7c03
+            ip saddr 1.2.3.0/24 goto mangle_PRE_trusted
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain mangle_PREROUTING_ZONES {
4f7c03
+            iifname "dummy0" goto mangle_PRE_trusted
4f7c03
+            iifname "dummy1" goto mangle_PRE_public
4f7c03
+            goto mangle_PRE_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl
4f7c03
+    table ip firewalld {
4f7c03
+        chain nat_PREROUTING {
4f7c03
+            jump nat_PREROUTING_ZONES_SOURCE
4f7c03
+            jump nat_PREROUTING_ZONES
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl
4f7c03
+    table ip firewalld {
4f7c03
+        chain nat_PREROUTING_ZONES_SOURCE {
4f7c03
+            ip saddr 1.2.3.0/24 goto nat_PRE_trusted
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl
4f7c03
+    table ip firewalld {
4f7c03
+        chain nat_PREROUTING_ZONES {
4f7c03
+            iifname "dummy0" goto nat_PRE_trusted
4f7c03
+            iifname "dummy1" goto nat_PRE_public
4f7c03
+            goto nat_PRE_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl
4f7c03
+    table ip firewalld {
4f7c03
+        chain nat_POSTROUTING {
4f7c03
+            jump nat_POSTROUTING_ZONES_SOURCE
4f7c03
+            jump nat_POSTROUTING_ZONES
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
4f7c03
+    table ip firewalld {
4f7c03
+        chain nat_POSTROUTING_ZONES_SOURCE {
4f7c03
+            ip daddr 1.2.3.0/24 goto nat_POST_trusted
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
4f7c03
+    table ip firewalld {
4f7c03
+        chain nat_POSTROUTING_ZONES {
4f7c03
+            oifname "dummy0" goto nat_POST_trusted
4f7c03
+            oifname "dummy1" goto nat_POST_public
4f7c03
+            goto nat_POST_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip6], [nat_PREROUTING], 0, [dnl
4f7c03
+    table ip6 firewalld {
4f7c03
+        chain nat_PREROUTING {
4f7c03
+            jump nat_PREROUTING_ZONES_SOURCE
4f7c03
+            jump nat_PREROUTING_ZONES
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl
4f7c03
+    table ip6 firewalld {
4f7c03
+        chain nat_PREROUTING_ZONES_SOURCE {
4f7c03
+            ip6 saddr dead:beef::/54 goto nat_PRE_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl
4f7c03
+    table ip6 firewalld {
4f7c03
+        chain nat_PREROUTING_ZONES {
4f7c03
+            iifname "dummy0" goto nat_PRE_trusted
4f7c03
+            iifname "dummy1" goto nat_PRE_public
4f7c03
+            goto nat_PRE_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip6], [nat_POSTROUTING], 0, [dnl
4f7c03
+    table ip6 firewalld {
4f7c03
+        chain nat_POSTROUTING {
4f7c03
+            jump nat_POSTROUTING_ZONES_SOURCE
4f7c03
+            jump nat_POSTROUTING_ZONES
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
4f7c03
+    table ip6 firewalld {
4f7c03
+        chain nat_POSTROUTING_ZONES_SOURCE {
4f7c03
+            ip6 daddr dead:beef::/54 goto nat_POST_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
4f7c03
+    table ip6 firewalld {
4f7c03
+        chain nat_POSTROUTING_ZONES {
4f7c03
+            oifname "dummy0" goto nat_POST_trusted
4f7c03
+            oifname "dummy1" goto nat_POST_public
4f7c03
+            goto nat_POST_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+
4f7c03
+IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
4f7c03
+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4f7c03
+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
4f7c03
+    REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
4f7c03
+])
4f7c03
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
4f7c03
+  [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
4f7c03
+  [[IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
4f7c03
+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4f7c03
+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
4f7c03
+    REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
4f7c03
+])
4f7c03
+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0,
4f7c03
+  [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
4f7c03
+  [[FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0,
4f7c03
+  [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
4f7c03
+  [[FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
4f7c03
+    PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+])
4f7c03
+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0,
4f7c03
+  [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
4f7c03
+  [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
4f7c03
+    PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+])
4f7c03
+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0,
4f7c03
+  [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
4f7c03
+  [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
4f7c03
+    PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+])
4f7c03
+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0,
4f7c03
+  [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
4f7c03
+  [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
4f7c03
+    POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    POSTROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+    POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
4f7c03
+])
4f7c03
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
4f7c03
+  [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
4f7c03
+  [[POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+
4f7c03
+IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
4f7c03
+    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED
4f7c03
+    ACCEPT all ::/0 ::/0
4f7c03
+    INPUT_direct all ::/0 ::/0
4f7c03
+    INPUT_ZONES_SOURCE all ::/0 ::/0
4f7c03
+    INPUT_ZONES all ::/0 ::/0
4f7c03
+    DROP all ::/0 ::/0 ctstate INVALID
4f7c03
+    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
4f7c03
+])
4f7c03
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
4f7c03
+  [[IN_public all dead:beef::/54 ::/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
4f7c03
+  [[IN_trusted all ::/0 ::/0 [goto]
4f7c03
+    IN_public all ::/0 ::/0 [goto]
4f7c03
+    IN_public all ::/0 ::/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
4f7c03
+    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED
4f7c03
+    ACCEPT all ::/0 ::/0
4f7c03
+    FORWARD_direct all ::/0 ::/0
4f7c03
+    FORWARD_IN_ZONES_SOURCE all ::/0 ::/0
4f7c03
+    FORWARD_IN_ZONES all ::/0 ::/0
4f7c03
+    FORWARD_OUT_ZONES_SOURCE all ::/0 ::/0
4f7c03
+    FORWARD_OUT_ZONES all ::/0 ::/0
4f7c03
+    DROP all ::/0 ::/0 ctstate INVALID
4f7c03
+    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
4f7c03
+])
4f7c03
+IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0,
4f7c03
+  [[FWDI_public all dead:beef::/54 ::/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
4f7c03
+  [[FWDI_trusted all ::/0 ::/0 [goto]
4f7c03
+    FWDI_public all ::/0 ::/0 [goto]
4f7c03
+    FWDI_public all ::/0 ::/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0,
4f7c03
+  [[FWDO_public all ::/0 dead:beef::/54 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
4f7c03
+  [[FWDO_trusted all ::/0 ::/0 [goto]
4f7c03
+    FWDO_public all ::/0 ::/0 [goto]
4f7c03
+    FWDO_public all ::/0 ::/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
4f7c03
+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
4f7c03
+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
4f7c03
+    DROP all ::/0 ::/0 rpfilter invert
4f7c03
+    PREROUTING_direct all ::/0 ::/0
4f7c03
+    PREROUTING_ZONES_SOURCE all ::/0 ::/0
4f7c03
+    PREROUTING_ZONES all ::/0 ::/0
4f7c03
+])
4f7c03
+IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0,
4f7c03
+  [[PRE_public all dead:beef::/54 ::/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
4f7c03
+  [[PRE_trusted all ::/0 ::/0 [goto]
4f7c03
+    PRE_public all ::/0 ::/0 [goto]
4f7c03
+    PRE_public all ::/0 ::/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
4f7c03
+    PREROUTING_direct all ::/0 ::/0
4f7c03
+    PREROUTING_ZONES_SOURCE all ::/0 ::/0
4f7c03
+    PREROUTING_ZONES all ::/0 ::/0
4f7c03
+])
4f7c03
+IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0,
4f7c03
+  [[PRE_public all dead:beef::/54 ::/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
4f7c03
+  [[PRE_trusted all ::/0 ::/0 [goto]
4f7c03
+    PRE_public all ::/0 ::/0 [goto]
4f7c03
+    PRE_public all ::/0 ::/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
4f7c03
+    PREROUTING_direct all ::/0 ::/0
4f7c03
+    PREROUTING_ZONES_SOURCE all ::/0 ::/0
4f7c03
+    PREROUTING_ZONES all ::/0 ::/0
4f7c03
+])
4f7c03
+IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0,
4f7c03
+  [[PRE_public all dead:beef::/54 ::/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
4f7c03
+  [[PRE_trusted all ::/0 ::/0 [goto]
4f7c03
+    PRE_public all ::/0 ::/0 [goto]
4f7c03
+    PRE_public all ::/0 ::/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
4f7c03
+    POSTROUTING_direct all ::/0 ::/0
4f7c03
+    POSTROUTING_ZONES_SOURCE all ::/0 ::/0
4f7c03
+    POSTROUTING_ZONES all ::/0 ::/0
4f7c03
+])
4f7c03
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
4f7c03
+  [[POST_public all ::/0 dead:beef::/54 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
4f7c03
+  [[POST_trusted all ::/0 ::/0 [goto]
4f7c03
+    POST_public all ::/0 ::/0 [goto]
4f7c03
+    POST_public all ::/0 ::/0 [goto]
4f7c03
+]])
4f7c03
+
4f7c03
+FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d'])
4f7c03
diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
4f7c03
index 276c1e433025..60cd18a6a6ea 100644
4f7c03
--- a/src/tests/regression/rhbz1734765.at
4f7c03
+++ b/src/tests/regression/rhbz1734765.at
4f7c03
@@ -1,9 +1,12 @@
4f7c03
 FWD_START_TEST([zone sources ordered by name])
4f7c03
-AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545)
4f7c03
+AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545 rhbz1772208 rhbz1796055)
4f7c03
 dnl
4f7c03
 dnl Users depend on firewalld ordering source-based zone dispatch by zone name.
4f7c03
 dnl
4f7c03
 
4f7c03
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
4f7c03
+FWD_RELOAD
4f7c03
+
4f7c03
 FWD_CHECK([-q --permanent --new-zone=foobar_00])
4f7c03
 FWD_CHECK([-q --permanent --new-zone=foobar_05])
4f7c03
 FWD_CHECK([-q --permanent --new-zone=foobar_02])
4f7c03
@@ -199,4 +202,178 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
4f7c03
 ]])
4f7c03
 ])
4f7c03
 
4f7c03
-FWD_END_TEST
4f7c03
+dnl ##########################################################################
4f7c03
+dnl ##########################################################################
4f7c03
+dnl We also support zone drifting in which source based zones fall through to
4f7c03
+dnl interface based zones (including default zone). So make sure the zones are
4f7c03
+dnl sorted by name in this mode.
4f7c03
+dnl ##########################################################################
4f7c03
+dnl ##########################################################################
4f7c03
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf])
4f7c03
+FWD_RELOAD
4f7c03
+
4f7c03
+FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"])
4f7c03
+FWD_CHECK([-q --zone=public --add-source="20.20.20.20"])
4f7c03
+IF_HOST_SUPPORTS_IPV6_RULES([
4f7c03
+FWD_CHECK([-q --zone=foobar_010 --add-source="1234:5678::10:10:10"])
4f7c03
+FWD_CHECK([-q --zone=public --add-source="1234:5678::20:20:20"])
4f7c03
+FWD_CHECK([-q --zone=foobar_012 --add-source ipset:ipsetv6])
4f7c03
+])
4f7c03
+FWD_CHECK([-q --zone=foobar_010 --add-interface=foobar2])
4f7c03
+
4f7c03
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain filter_INPUT_ZONES_SOURCE {
4f7c03
+            ip saddr 10.1.1.1 goto filter_IN_foobar_00
4f7c03
+            ip6 saddr 1234:5678::1:1:1 goto filter_IN_foobar_00
4f7c03
+            ip saddr 10.1.1.0/24 goto filter_IN_foobar_01
4f7c03
+            ip6 saddr 1234:5678::1:1:0/112 goto filter_IN_foobar_01
4f7c03
+            ip saddr 10.10.10.10 goto filter_IN_foobar_010
4f7c03
+            ip6 saddr 1234:5678::10:10:10 goto filter_IN_foobar_010
4f7c03
+            ip saddr @ipsetv4 goto filter_IN_foobar_011
4f7c03
+            ip6 saddr @ipsetv6 goto filter_IN_foobar_012
4f7c03
+            ip saddr 10.1.0.0/16 goto filter_IN_foobar_02
4f7c03
+            ip6 saddr 1234:5678::1:0:0/96 goto filter_IN_foobar_02
4f7c03
+            ip saddr 10.2.2.0/24 goto filter_IN_foobar_03
4f7c03
+            ip6 saddr 1234:5678::2:2:0/112 goto filter_IN_foobar_03
4f7c03
+            ip saddr 10.2.0.0/16 goto filter_IN_foobar_04
4f7c03
+            ip6 saddr 1234:5678::2:0:0/96 goto filter_IN_foobar_04
4f7c03
+            ip saddr 10.0.0.0/8 goto filter_IN_foobar_05
4f7c03
+            ip6 saddr 1234:5678::/80 goto filter_IN_foobar_05
4f7c03
+            ip saddr 20.20.20.20 goto filter_IN_public
4f7c03
+            ip6 saddr 1234:5678::20:20:20 goto filter_IN_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
4f7c03
+    table inet firewalld {
4f7c03
+        chain filter_INPUT_ZONES {
4f7c03
+            iifname "foobar2" goto filter_IN_foobar_010
4f7c03
+            iifname "foobar1" goto filter_IN_trusted
4f7c03
+            iifname "foobar0" goto filter_IN_internal
4f7c03
+            goto filter_IN_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
4f7c03
+    table ip firewalld {
4f7c03
+        chain nat_POSTROUTING_ZONES_SOURCE {
4f7c03
+            ip daddr 10.1.1.1 goto nat_POST_foobar_00
4f7c03
+            ip daddr 10.1.1.0/24 goto nat_POST_foobar_01
4f7c03
+            ip daddr 10.10.10.10 goto nat_POST_foobar_010
4f7c03
+            ip daddr @ipsetv4 goto nat_POST_foobar_011
4f7c03
+            ip daddr 10.1.0.0/16 goto nat_POST_foobar_02
4f7c03
+            ip daddr 10.2.2.0/24 goto nat_POST_foobar_03
4f7c03
+            ip daddr 10.2.0.0/16 goto nat_POST_foobar_04
4f7c03
+            ip daddr 10.0.0.0/8 goto nat_POST_foobar_05
4f7c03
+            ip daddr 20.20.20.20 goto nat_POST_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
4f7c03
+    table ip firewalld {
4f7c03
+        chain nat_POSTROUTING_ZONES {
4f7c03
+            oifname "foobar2" goto nat_POST_foobar_010
4f7c03
+            oifname "foobar1" goto nat_POST_trusted
4f7c03
+            oifname "foobar0" goto nat_POST_internal
4f7c03
+            goto nat_POST_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
4f7c03
+    table ip6 firewalld {
4f7c03
+        chain nat_POSTROUTING_ZONES_SOURCE {
4f7c03
+            ip6 daddr 1234:5678::1:1:1 goto nat_POST_foobar_00
4f7c03
+            ip6 daddr 1234:5678::1:1:0/112 goto nat_POST_foobar_01
4f7c03
+            ip6 daddr 1234:5678::10:10:10 goto nat_POST_foobar_010
4f7c03
+            ip6 daddr @ipsetv6 goto nat_POST_foobar_012
4f7c03
+            ip6 daddr 1234:5678::1:0:0/96 goto nat_POST_foobar_02
4f7c03
+            ip6 daddr 1234:5678::2:2:0/112 goto nat_POST_foobar_03
4f7c03
+            ip6 daddr 1234:5678::2:0:0/96 goto nat_POST_foobar_04
4f7c03
+            ip6 daddr 1234:5678::/80 goto nat_POST_foobar_05
4f7c03
+            ip6 daddr 1234:5678::20:20:20 goto nat_POST_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
4f7c03
+    table ip6 firewalld {
4f7c03
+        chain nat_POSTROUTING_ZONES {
4f7c03
+            oifname "foobar2" goto nat_POST_foobar_010
4f7c03
+            oifname "foobar1" goto nat_POST_trusted
4f7c03
+            oifname "foobar0" goto nat_POST_internal
4f7c03
+            goto nat_POST_public
4f7c03
+        }
4f7c03
+    }
4f7c03
+])
4f7c03
+
4f7c03
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
4f7c03
+  [[IN_foobar_00 all -- 10.1.1.1 0.0.0.0/0 [goto]
4f7c03
+    IN_foobar_01 all -- 10.1.1.0/24 0.0.0.0/0 [goto]
4f7c03
+    IN_foobar_010 all -- 10.10.10.10 0.0.0.0/0 [goto]
4f7c03
+    IN_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 src
4f7c03
+    IN_foobar_02 all -- 10.1.0.0/16 0.0.0.0/0 [goto]
4f7c03
+    IN_foobar_03 all -- 10.2.2.0/24 0.0.0.0/0 [goto]
4f7c03
+    IN_foobar_04 all -- 10.2.0.0/16 0.0.0.0/0 [goto]
4f7c03
+    IN_foobar_05 all -- 10.0.0.0/8 0.0.0.0/0 [goto]
4f7c03
+    IN_public all -- 20.20.20.20 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
4f7c03
+  [[IN_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    IN_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
4f7c03
+  [[IN_foobar_00 all 1234:5678::1:1:1 ::/0 [goto]
4f7c03
+    IN_foobar_01 all 1234:5678::1:1:0/112 ::/0 [goto]
4f7c03
+    IN_foobar_010 all 1234:5678::10:10:10 ::/0 [goto]
4f7c03
+    IN_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 src
4f7c03
+    IN_foobar_02 all 1234:5678::1:0:0/96 ::/0 [goto]
4f7c03
+    IN_foobar_03 all 1234:5678::2:2:0/112 ::/0 [goto]
4f7c03
+    IN_foobar_04 all 1234:5678::2:0:0/96 ::/0 [goto]
4f7c03
+    IN_foobar_05 all 1234:5678::/80 ::/0 [goto]
4f7c03
+    IN_public all 1234:5678::20:20:20 ::/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
4f7c03
+  [[IN_foobar_010 all ::/0 ::/0 [goto]
4f7c03
+    IN_trusted all ::/0 ::/0 [goto]
4f7c03
+    IN_internal all ::/0 ::/0 [goto]
4f7c03
+    IN_public all ::/0 ::/0 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
4f7c03
+  [[POST_foobar_00 all -- 0.0.0.0/0 10.1.1.1 [goto]
4f7c03
+    POST_foobar_01 all -- 0.0.0.0/0 10.1.1.0/24 [goto]
4f7c03
+    POST_foobar_010 all -- 0.0.0.0/0 10.10.10.10 [goto]
4f7c03
+    POST_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 dst
4f7c03
+    POST_foobar_02 all -- 0.0.0.0/0 10.1.0.0/16 [goto]
4f7c03
+    POST_foobar_03 all -- 0.0.0.0/0 10.2.2.0/24 [goto]
4f7c03
+    POST_foobar_04 all -- 0.0.0.0/0 10.2.0.0/16 [goto]
4f7c03
+    POST_foobar_05 all -- 0.0.0.0/0 10.0.0.0/8 [goto]
4f7c03
+    POST_public all -- 0.0.0.0/0 20.20.20.20 [goto]
4f7c03
+]])
4f7c03
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
4f7c03
+  [[POST_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    POST_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+    POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
4f7c03
+  [[POST_foobar_00 all ::/0 1234:5678::1:1:1 [goto]
4f7c03
+    POST_foobar_01 all ::/0 1234:5678::1:1:0/112 [goto]
4f7c03
+    POST_foobar_010 all ::/0 1234:5678::10:10:10 [goto]
4f7c03
+    POST_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 dst
4f7c03
+    POST_foobar_02 all ::/0 1234:5678::1:0:0/96 [goto]
4f7c03
+    POST_foobar_03 all ::/0 1234:5678::2:2:0/112 [goto]
4f7c03
+    POST_foobar_04 all ::/0 1234:5678::2:0:0/96 [goto]
4f7c03
+    POST_foobar_05 all ::/0 1234:5678::/80 [goto]
4f7c03
+    POST_public all ::/0 1234:5678::20:20:20 [goto]
4f7c03
+]])
4f7c03
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
4f7c03
+  [[POST_foobar_010 all ::/0 ::/0 [goto]
4f7c03
+    POST_trusted all ::/0 ::/0 [goto]
4f7c03
+    POST_internal all ::/0 ::/0 [goto]
4f7c03
+    POST_public all ::/0 ::/0 [goto]
4f7c03
+]])
4f7c03
+
4f7c03
+FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d' dnl
4f7c03
+              -e '/WARNING: ZONE_ALREADY_SET:/d'])
4f7c03
-- 
4f7c03
2.23.0
4f7c03