From 959584ced5e1c1853b62ff5e15c3e9fa49837ea4 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 30 May 2019 16:16:51 -0400
Subject: [PATCH 60/73] test: add coverage for #258 and #441
(cherry picked from commit 0c49548a4954a0c5f2a982fd3a46b135afa74965)
(cherry picked from commit 87235daf6290eba20c38178edca6c9bd7475caf3)
---
src/tests/regression.at | 1 +
src/tests/regression/gh258.at | 441 ++++++++++++++++++++++++++++++++++
2 files changed, 442 insertions(+)
create mode 100644 src/tests/regression/gh258.at
diff --git a/src/tests/regression.at b/src/tests/regression.at
index 8bcb576238e6..00690fc6459e 100644
--- a/src/tests/regression.at
+++ b/src/tests/regression.at
@@ -19,3 +19,4 @@ m4_include([regression/gh335.at])
m4_include([regression/gh482.at])
m4_include([regression/gh478.at])
m4_include([regression/gh453.at])
+m4_include([regression/gh258.at])
diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
new file mode 100644
index 000000000000..d0c4f2fa7432
--- /dev/null
+++ b/src/tests/regression/gh258.at
@@ -0,0 +1,441 @@
+FWD_START_TEST([zone dispatch layout])
+AT_KEYWORDS(zone gh258 gh441)
+
+FWD_CHECK([--zone=work --add-source="1.2.3.0/24"], 0, ignore)
+IF_IPV6_SUPPORTED([
+FWD_CHECK([--zone=public --add-source="dead:beef::/54"], 0, ignore)
+])
+FWD_CHECK([--zone=work --add-interface=dummy0], 0, ignore)
+FWD_CHECK([--zone=public --add-interface=dummy1], 0, ignore)
+
+dnl verify layout of zone dispatch
+m4_if(nftables, FIREWALL_BACKEND, [
+NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl
+ table inet firewalld {
+ chain filter_INPUT {
+ ct state established,related accept
+ iifname "lo" accept
+ jump filter_INPUT_ZONES
+ ct state invalid drop
+ reject with icmpx type admin-prohibited
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
+ table inet firewalld {
+ chain filter_INPUT_ZONES {
+ ip6 saddr dead:beef::/54 goto filter_IN_public
+ ip saddr 1.2.3.0/24 goto filter_IN_work
+ goto filter_INPUT_ZONES_IFACES
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES_IFACES], 0, [dnl
+ table inet firewalld {
+ chain filter_INPUT_ZONES_IFACES {
+ iifname "dummy1" goto filter_IN_public
+ iifname "dummy0" goto filter_IN_work
+ goto filter_IN_public
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD {
+ ct state established,related accept
+ iifname "lo" accept
+ jump filter_FORWARD_IN_ZONES
+ jump filter_FORWARD_OUT_ZONES
+ ct state invalid drop
+ reject with icmpx type admin-prohibited
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD_IN_ZONES {
+ ip6 saddr dead:beef::/54 goto filter_FWDI_public
+ ip saddr 1.2.3.0/24 goto filter_FWDI_work
+ goto filter_FORWARD_IN_ZONES_IFACES
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_IFACES], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD_IN_ZONES_IFACES {
+ iifname "dummy1" goto filter_FWDI_public
+ iifname "dummy0" goto filter_FWDI_work
+ goto filter_FWDI_public
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD_OUT_ZONES {
+ ip6 daddr dead:beef::/54 goto filter_FWDO_public
+ ip daddr 1.2.3.0/24 goto filter_FWDO_work
+ goto filter_FORWARD_OUT_ZONES_IFACES
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_IFACES], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD_OUT_ZONES_IFACES {
+ oifname "dummy1" goto filter_FWDO_public
+ oifname "dummy0" goto filter_FWDO_work
+ goto filter_FWDO_public
+ }
+ }
+])
+NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
+ table inet firewalld {
+ chain raw_PREROUTING {
+ m4_if(yes, HOST_SUPPORTS_NFT_FIB, [dnl
+ icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+ meta nfproto ipv6 fib saddr . iif oif missing drop
+ ])dnl
+ jump raw_PREROUTING_ZONES
+ }
+ }
+])
+NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
+ table inet firewalld {
+ chain raw_PREROUTING_ZONES {
+ ip6 saddr dead:beef::/54 goto raw_PRE_public
+ ip saddr 1.2.3.0/24 goto raw_PRE_work
+ goto raw_PREROUTING_ZONES_IFACES
+ }
+ }
+])
+NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_IFACES], 0, [dnl
+ table inet firewalld {
+ chain raw_PREROUTING_ZONES_IFACES {
+ iifname "dummy1" goto raw_PRE_public
+ iifname "dummy0" goto raw_PRE_work
+ goto raw_PRE_public
+ }
+ }
+])
+NFT_LIST_RULES([inet], [mangle_PREROUTING], 0, [dnl
+ table inet firewalld {
+ chain mangle_PREROUTING {
+ jump mangle_PREROUTING_ZONES
+ }
+ }
+])
+NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl
+ table inet firewalld {
+ chain mangle_PREROUTING_ZONES {
+ ip6 saddr dead:beef::/54 goto mangle_PRE_public
+ ip saddr 1.2.3.0/24 goto mangle_PRE_work
+ goto mangle_PREROUTING_ZONES_IFACES
+ }
+ }
+])
+NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_IFACES], 0, [dnl
+ table inet firewalld {
+ chain mangle_PREROUTING_ZONES_IFACES {
+ iifname "dummy1" goto mangle_PRE_public
+ iifname "dummy0" goto mangle_PRE_work
+ goto mangle_PRE_public
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl
+ table ip firewalld {
+ chain nat_PREROUTING {
+ jump nat_PREROUTING_ZONES
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl
+ table ip firewalld {
+ chain nat_PREROUTING_ZONES {
+ ip saddr 1.2.3.0/24 goto nat_PRE_work
+ goto nat_PREROUTING_ZONES_IFACES
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_IFACES], 0, [dnl
+ table ip firewalld {
+ chain nat_PREROUTING_ZONES_IFACES {
+ iifname "dummy1" goto nat_PRE_public
+ iifname "dummy0" goto nat_PRE_work
+ goto nat_PRE_public
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING {
+ jump nat_POSTROUTING_ZONES
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING_ZONES {
+ ip daddr 1.2.3.0/24 goto nat_POST_work
+ goto nat_POSTROUTING_ZONES_IFACES
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING_ZONES_IFACES {
+ oifname "dummy1" goto nat_POST_public
+ oifname "dummy0" goto nat_POST_work
+ goto nat_POST_public
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_PREROUTING], 0, [dnl
+ table ip6 firewalld {
+ chain nat_PREROUTING {
+ jump nat_PREROUTING_ZONES
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl
+ table ip6 firewalld {
+ chain nat_PREROUTING_ZONES {
+ ip6 saddr dead:beef::/54 goto nat_PRE_public
+ goto nat_PREROUTING_ZONES_IFACES
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_IFACES], 0, [dnl
+ table ip6 firewalld {
+ chain nat_PREROUTING_ZONES_IFACES {
+ iifname "dummy1" goto nat_PRE_public
+ iifname "dummy0" goto nat_PRE_work
+ goto nat_PRE_public
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_POSTROUTING], 0, [dnl
+ table ip6 firewalld {
+ chain nat_POSTROUTING {
+ jump nat_POSTROUTING_ZONES
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
+ table ip6 firewalld {
+ chain nat_POSTROUTING_ZONES {
+ ip6 daddr dead:beef::/54 goto nat_POST_public
+ goto nat_POSTROUTING_ZONES_IFACES
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING_ZONES_IFACES {
+ oifname "dummy1" goto nat_POST_public
+ oifname "dummy0" goto nat_POST_work
+ goto nat_POST_public
+ }
+ }
+])
+], [
+
+IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+ INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
+ INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
+ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
+])
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [dnl
+ IN_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
+ INPUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES_IFACES], 0, [dnl
+ IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ IN_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+ FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
+ FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+ FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
+ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
+])
+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [dnl
+ FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
+ FORWARD_IN_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_IFACES], 0, [dnl
+ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [dnl
+ FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@
+ FORWARD_OUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_IFACES], 0, [dnl
+ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
+ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
+ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+])
+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [dnl
+ PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
+ PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_IFACES], 0, [dnl
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
+ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
+ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+])
+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [dnl
+ PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
+ PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_IFACES], 0, [dnl
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
+ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
+ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+])
+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [dnl
+ PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
+ PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_IFACES], 0, [dnl
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
+ POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
+ POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+])
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [dnl
+ POST_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@
+ POSTROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_IFACES], 0, [dnl
+ POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ POST_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+ POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
+])
+
+
+IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
+ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED
+ ACCEPT all ::/0 ::/0
+ INPUT_direct all ::/0 ::/0
+ INPUT_ZONES all ::/0 ::/0
+ DROP all ::/0 ::/0 ctstate INVALID
+ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
+])
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [dnl
+ IN_public all dead:beef::/54 ::/0 @<:@goto@:>@
+ INPUT_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
+])
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_IFACES], 0, [dnl
+ IN_public all ::/0 ::/0 @<:@goto@:>@
+ IN_work all ::/0 ::/0 @<:@goto@:>@
+ IN_public all ::/0 ::/0 @<:@goto@:>@
+])
+IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
+ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED
+ ACCEPT all ::/0 ::/0
+ FORWARD_direct all ::/0 ::/0
+ FORWARD_IN_ZONES all ::/0 ::/0
+ FORWARD_OUT_ZONES all ::/0 ::/0
+ DROP all ::/0 ::/0 ctstate INVALID
+ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
+])
+IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [dnl
+ FWDI_public all dead:beef::/54 ::/0 @<:@goto@:>@
+ FORWARD_IN_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
+])
+IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_IFACES], 0, [dnl
+ FWDI_public all ::/0 ::/0 @<:@goto@:>@
+ FWDI_work all ::/0 ::/0 @<:@goto@:>@
+ FWDI_public all ::/0 ::/0 @<:@goto@:>@
+])
+IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [dnl
+ FWDO_public all ::/0 dead:beef::/54 @<:@goto@:>@
+ FORWARD_OUT_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
+])
+IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_IFACES], 0, [dnl
+ FWDO_public all ::/0 ::/0 @<:@goto@:>@
+ FWDO_work all ::/0 ::/0 @<:@goto@:>@
+ FWDO_public all ::/0 ::/0 @<:@goto@:>@
+])
+IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
+ DROP all ::/0 ::/0 rpfilter invert
+ PREROUTING_direct all ::/0 ::/0
+ PREROUTING_ZONES all ::/0 ::/0
+])
+IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [dnl
+ PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@
+ PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
+])
+IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES_IFACES], 0, [dnl
+ PRE_public all ::/0 ::/0 @<:@goto@:>@
+ PRE_work all ::/0 ::/0 @<:@goto@:>@
+ PRE_public all ::/0 ::/0 @<:@goto@:>@
+])
+IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
+ PREROUTING_direct all ::/0 ::/0
+ PREROUTING_ZONES all ::/0 ::/0
+])
+IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [dnl
+ PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@
+ PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
+])
+IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES_IFACES], 0, [dnl
+ PRE_public all ::/0 ::/0 @<:@goto@:>@
+ PRE_work all ::/0 ::/0 @<:@goto@:>@
+ PRE_public all ::/0 ::/0 @<:@goto@:>@
+])
+IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
+ PREROUTING_direct all ::/0 ::/0
+ PREROUTING_ZONES all ::/0 ::/0
+])
+IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [dnl
+ PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@
+ PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
+])
+IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES_IFACES], 0, [dnl
+ PRE_public all ::/0 ::/0 @<:@goto@:>@
+ PRE_work all ::/0 ::/0 @<:@goto@:>@
+ PRE_public all ::/0 ::/0 @<:@goto@:>@
+])
+IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
+ POSTROUTING_direct all ::/0 ::/0
+ POSTROUTING_ZONES all ::/0 ::/0
+])
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [dnl
+ POST_public all ::/0 dead:beef::/54 @<:@goto@:>@
+ POSTROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
+])
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_IFACES], 0, [dnl
+ POST_public all ::/0 ::/0 @<:@goto@:>@
+ POST_work all ::/0 ::/0 @<:@goto@:>@
+ POST_public all ::/0 ::/0 @<:@goto@:>@
+])
+])
+
+FWD_END_TEST
--
2.20.1