aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2020-07-10 15:30:39 +0300
committerKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2020-09-18 14:20:36 +0300
commitdde0cffd637b0a615746b28d0158ad941ef116ac (patch)
tree6074cda11448807f042bf378f942ab79e9771488
parent5e3f460995ef26578188be7ac695dd5d02afcb9c (diff)
test: split filter-log cases
-rw-r--r--test/mandatory/log.json26
-rw-r--r--test/optional/filter-log.lua19
-rw-r--r--test/output/address/dump438
-rw-r--r--test/output/address/rules-save101
-rw-r--r--test/output/address/rules6-save94
-rw-r--r--test/output/custom/dump648
-rw-r--r--test/output/custom/rules-save101
-rw-r--r--test/output/custom/rules6-save94
-rw-r--r--test/output/dedicated/dump620
-rw-r--r--test/output/dedicated/rules-save101
-rw-r--r--test/output/dedicated/rules6-save94
-rw-r--r--test/output/filter-dnat/dump660
-rw-r--r--test/output/filter-dnat/rules-save101
-rw-r--r--test/output/filter-dnat/rules6-save94
-rw-r--r--test/output/filter-limit/dump438
-rw-r--r--test/output/filter-limit/rules-save101
-rw-r--r--test/output/filter-limit/rules6-save94
-rw-r--r--test/output/filter-log/dump1056
-rw-r--r--test/output/filter-log/ipset-awall-masquerade2
-rw-r--r--test/output/filter-log/rules-save214
-rw-r--r--test/output/filter-log/rules6-save163
-rw-r--r--test/output/filter/dump438
-rw-r--r--test/output/filter/rules-save101
-rw-r--r--test/output/filter/rules6-save94
-rw-r--r--test/output/ipset/dump438
-rw-r--r--test/output/ipset/rules-save101
-rw-r--r--test/output/ipset/rules6-save94
-rw-r--r--test/output/nat/dump620
-rw-r--r--test/output/nat/rules-save101
-rw-r--r--test/output/nat/rules6-save94
-rw-r--r--test/output/no-track/dump752
-rw-r--r--test/output/no-track/rules-save101
-rw-r--r--test/output/no-track/rules6-save94
-rw-r--r--test/output/route-track/dump620
-rw-r--r--test/output/route-track/rules-save101
-rw-r--r--test/output/route-track/rules6-save94
-rw-r--r--test/output/tproxy/dump620
-rw-r--r--test/output/tproxy/rules-save101
-rw-r--r--test/output/tproxy/rules6-save94
39 files changed, 2247 insertions, 7670 deletions
diff --git a/test/mandatory/log.json b/test/mandatory/log.json
index d1cbb4c..b8b0578 100644
--- a/test/mandatory/log.json
+++ b/test/mandatory/log.json
@@ -12,29 +12,5 @@
{ "out": "_fw", "log": "nflog" },
{ "out": "_fw", "log": "ulog" }
],
- "filter": [
- {},
- { "action": "drop" },
- { "action": "pass" },
- { "log": false },
- { "log": false, "action": "drop" },
- { "log": false, "action": "pass" },
- { "log": true },
- { "log": true, "action": "drop" },
- { "log": true, "action": "pass" },
- { "log": "dual" },
- { "log": "dual", "action": "drop" },
- { "log": "dual", "action": "pass" },
- { "log": "mirror" },
- { "log": "mirror", "action": "drop" },
- { "log": "mirror", "action": "pass" },
- { "log": "none" },
- { "log": "none", "action": "drop" },
- { "log": "none", "action": "pass" },
-
- { "log": "ulog" },
- { "log": "ulog", "action": "drop" },
- { "log": "ulog", "action": "pass" },
- { "in": "_fw", "log": "ulog", "action": "pass" }
- ]
+ "filter": [ { "in": "_fw", "log": "ulog", "action": "pass" } ]
}
diff --git a/test/optional/filter-log.lua b/test/optional/filter-log.lua
new file mode 100644
index 0000000..b3471c7
--- /dev/null
+++ b/test/optional/filter-log.lua
@@ -0,0 +1,19 @@
+--[[
+Filter log test cases for Alpine Wall
+Copyright (C) 2012-2020 Kaarle Ritvanen
+See LICENSE file for license details
+]]--
+
+
+json = require('cjson')
+
+res = {}
+
+for _, log in ipairs{'', false, true, 'dual', 'mirror', 'none', 'ulog'} do
+ for _, action in ipairs{false, 'drop', 'pass'} do
+ if log == '' then log = nil end
+ table.insert(res, {log=log, action=action or nil})
+ end
+end
+
+print(json.encode{filter=res})
diff --git a/test/output/address/dump b/test/output/address/dump
index d008591..34a51c9 100644
--- a/test/output/address/dump
+++ b/test/output/address/dump
@@ -7734,244 +7734,11 @@ Filter 1200 {"action":"pass","dest":["172.16.0.0\/16","fc00::2
inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-473
inet/filter/address-473 -s 10.0.0.1 -d 172.16.0.0/16 -m limit --limit 12/minute -j ULOG
-Filter 1201 {}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 1202 {"action":"drop"}
-(log)
- inet/filter/FORWARD -j logdrop-0
- inet/filter/INPUT -j logdrop-0
- inet/filter/OUTPUT -j logdrop-0
- inet/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-0 -j DROP
- inet6/filter/FORWARD -j logdrop-0
- inet6/filter/INPUT -j logdrop-0
- inet6/filter/OUTPUT -j logdrop-0
- inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-0 -j DROP
-
-Filter 1203 {"action":"pass"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 1204 {"log":false}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 1205 {"action":"drop","log":false}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 1206 {"action":"pass","log":false}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 1207 {"log":true}
-(log)
- inet/filter/FORWARD -j logaccept-267
- inet/filter/INPUT -j logaccept-267
- inet/filter/OUTPUT -j logaccept-267
- inet/filter/logaccept-267 -m limit --limit 1/second -j LOG
- inet/filter/logaccept-267 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-267
- inet6/filter/INPUT -j logaccept-267
- inet6/filter/OUTPUT -j logaccept-267
- inet6/filter/logaccept-267 -m limit --limit 1/second -j LOG
- inet6/filter/logaccept-267 -j ACCEPT
-
-Filter 1208 {"action":"drop","log":true}
-(log)
- inet/filter/FORWARD -j logdrop-1
- inet/filter/INPUT -j logdrop-1
- inet/filter/OUTPUT -j logdrop-1
- inet/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-1 -j DROP
- inet6/filter/FORWARD -j logdrop-1
- inet6/filter/INPUT -j logdrop-1
- inet6/filter/OUTPUT -j logdrop-1
- inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-1 -j DROP
-
-Filter 1209 {"action":"pass","log":true}
-(log)
- inet/filter/FORWARD -j logpass-167
- inet/filter/INPUT -j logpass-167
- inet/filter/OUTPUT -j logpass-167
- inet/filter/logpass-167 -m limit --limit 1/second -j LOG
- inet6/filter/FORWARD -j logpass-167
- inet6/filter/INPUT -j logpass-167
- inet6/filter/OUTPUT -j logpass-167
- inet6/filter/logpass-167 -m limit --limit 1/second -j LOG
-
-Filter 1210 {"log":"dual"}
-(log)
- inet/filter/FORWARD -j logaccept-268
- inet/filter/INPUT -j logaccept-268
- inet/filter/OUTPUT -j logaccept-268
- inet/filter/logaccept-268 -j LOG
- inet/filter/logaccept-268 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-268
- inet6/filter/INPUT -j logaccept-268
- inet6/filter/OUTPUT -j logaccept-268
- inet6/filter/logaccept-268 -j LOG
- inet6/filter/logaccept-268 -j TEE --gateway fc00::1
- inet6/filter/logaccept-268 -j ACCEPT
-
-Filter 1211 {"action":"drop","log":"dual"}
-(log)
- inet/filter/FORWARD -j logdrop-2
- inet/filter/INPUT -j logdrop-2
- inet/filter/OUTPUT -j logdrop-2
- inet/filter/logdrop-2 -j LOG
- inet/filter/logdrop-2 -j DROP
- inet6/filter/FORWARD -j logdrop-2
- inet6/filter/INPUT -j logdrop-2
- inet6/filter/OUTPUT -j logdrop-2
- inet6/filter/logdrop-2 -j LOG
- inet6/filter/logdrop-2 -j TEE --gateway fc00::1
- inet6/filter/logdrop-2 -j DROP
-
-Filter 1212 {"action":"pass","log":"dual"}
-(log)
- inet/filter/FORWARD -j logpass-168
- inet/filter/INPUT -j logpass-168
- inet/filter/OUTPUT -j logpass-168
- inet/filter/logpass-168 -j LOG
- inet6/filter/FORWARD -j logpass-168
- inet6/filter/INPUT -j logpass-168
- inet6/filter/OUTPUT -j logpass-168
- inet6/filter/logpass-168 -j LOG
- inet6/filter/logpass-168 -j TEE --gateway fc00::1
-
-Filter 1213 {"log":"mirror"}
-(log)
- inet/filter/FORWARD -j logaccept-269
- inet/filter/INPUT -j logaccept-269
- inet/filter/OUTPUT -j logaccept-269
- inet/filter/logaccept-269 -j TEE --gateway 10.0.0.1
- inet/filter/logaccept-269 -j TEE --gateway 10.0.0.2
- inet/filter/logaccept-269 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-269
- inet6/filter/INPUT -j logaccept-269
- inet6/filter/OUTPUT -j logaccept-269
- inet6/filter/logaccept-269 -j TEE --gateway fc00::2
- inet6/filter/logaccept-269 -j ACCEPT
-
-Filter 1214 {"action":"drop","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logdrop-3
- inet/filter/INPUT -j logdrop-3
- inet/filter/OUTPUT -j logdrop-3
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2
- inet/filter/logdrop-3 -j DROP
- inet6/filter/FORWARD -j logdrop-3
- inet6/filter/INPUT -j logdrop-3
- inet6/filter/OUTPUT -j logdrop-3
- inet6/filter/logdrop-3 -j TEE --gateway fc00::2
- inet6/filter/logdrop-3 -j DROP
-
-Filter 1215 {"action":"pass","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logpass-169
- inet/filter/INPUT -j logpass-169
- inet/filter/OUTPUT -j logpass-169
- inet/filter/logpass-169 -j TEE --gateway 10.0.0.1
- inet/filter/logpass-169 -j TEE --gateway 10.0.0.2
- inet6/filter/FORWARD -j logpass-169
- inet6/filter/INPUT -j logpass-169
- inet6/filter/OUTPUT -j logpass-169
- inet6/filter/logpass-169 -j TEE --gateway fc00::2
-
-Filter 1216 {"log":"none"}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 1217 {"action":"drop","log":"none"}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 1218 {"action":"pass","log":"none"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 1219 {"log":"ulog"}
-(log)
- inet/filter/FORWARD -j logaccept-270
- inet/filter/INPUT -j logaccept-270
- inet/filter/OUTPUT -j logaccept-270
- inet/filter/logaccept-270 -m limit --limit 12/minute -j ULOG
- inet/filter/logaccept-270 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-270
- inet6/filter/INPUT -j logaccept-270
- inet6/filter/OUTPUT -j logaccept-270
- inet6/filter/logaccept-270 -j ACCEPT
-
-Filter 1220 {"action":"drop","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logdrop-4
- inet/filter/INPUT -j logdrop-4
- inet/filter/OUTPUT -j logdrop-4
- inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG
- inet/filter/logdrop-4 -j DROP
- inet6/filter/FORWARD -j logdrop-4
- inet6/filter/INPUT -j logdrop-4
- inet6/filter/OUTPUT -j logdrop-4
- inet6/filter/logdrop-4 -j DROP
-
-Filter 1221 {"action":"pass","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logpass-170
- inet/filter/INPUT -j logpass-170
- inet/filter/OUTPUT -j logpass-170
- inet/filter/logpass-170 -m limit --limit 12/minute -j ULOG
-
-Filter 1222 {"action":"pass","in":"_fw","log":"ulog"}
+Filter 1201 {"action":"pass","in":"_fw","log":"ulog"}
(log)
inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-Filter 1223 {"in":["_fw","A"]}
+Filter 1202 {"in":["_fw","A"]}
(zone)
inet/filter/FORWARD -i eth0 -j ACCEPT
inet/filter/INPUT -i eth0 -j ACCEPT
@@ -7980,12 +7747,12 @@ Filter 1223 {"in":["_fw","A"]}
inet6/filter/INPUT -i eth0 -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
-Filter 1224 {"in":"B","out":"C"}
+Filter 1203 {"in":"B","out":"C"}
(zone)
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-Filter 1225 {"out":["_fw","B"]}
+Filter 1204 {"out":["_fw","B"]}
(zone)
inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/INPUT -j ACCEPT
@@ -7994,7 +7761,7 @@ Filter 1225 {"out":["_fw","B"]}
inet6/filter/INPUT -j ACCEPT
inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-Filter 1226 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+Filter 1205 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
(zone)
inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
@@ -8942,10 +8709,6 @@ hash:net family inet
:logaccept-264 - [0:0]
:logaccept-265 - [0:0]
:logaccept-266 - [0:0]
-:logaccept-267 - [0:0]
-:logaccept-268 - [0:0]
-:logaccept-269 - [0:0]
-:logaccept-270 - [0:0]
:logaccept-3 - [0:0]
:logaccept-32 - [0:0]
:logaccept-33 - [0:0]
@@ -9009,11 +8772,6 @@ hash:net family inet
:logaccept-97 - [0:0]
:logaccept-98 - [0:0]
:logaccept-99 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-10 - [0:0]
@@ -9088,11 +8846,7 @@ hash:net family inet
:logpass-164 - [0:0]
:logpass-165 - [0:0]
:logpass-166 - [0:0]
-:logpass-167 - [0:0]
-:logpass-168 - [0:0]
-:logpass-169 - [0:0]
:logpass-17 - [0:0]
-:logpass-170 - [0:0]
:logpass-18 - [0:0]
:logpass-19 - [0:0]
:logpass-2 - [0:0]
@@ -10277,27 +10031,6 @@ hash:net family inet
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-472
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-473
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-473
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-267
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-167
--A FORWARD -j logaccept-268
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-168
--A FORWARD -j logaccept-269
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-169
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-270
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-170
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -11063,27 +10796,6 @@ hash:net family inet
-A INPUT -i eth1 -s 10.0.0.0/12 -j address-383
-A INPUT -i eth2 -s 10.1.0.0/12 -j address-383
-A INPUT -i eth3 -s 10.1.0.0/12 -j address-383
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-267
--A INPUT -j logdrop-1
--A INPUT -j logpass-167
--A INPUT -j logaccept-268
--A INPUT -j logdrop-2
--A INPUT -j logpass-168
--A INPUT -j logaccept-269
--A INPUT -j logdrop-3
--A INPUT -j logpass-169
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-270
--A INPUT -j logdrop-4
--A INPUT -j logpass-170
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
@@ -11341,27 +11053,6 @@ hash:net family inet
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j address-93
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j address-94
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j address-95
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-267
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-167
--A OUTPUT -j logaccept-268
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-168
--A OUTPUT -j logaccept-269
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-169
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-270
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-170
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -12315,15 +12006,6 @@ hash:net family inet
-A logaccept-265 -j ACCEPT
-A logaccept-266 -m limit --limit 12/minute -j ULOG
-A logaccept-266 -j ACCEPT
--A logaccept-267 -m limit --limit 1/second -j LOG
--A logaccept-267 -j ACCEPT
--A logaccept-268 -j LOG
--A logaccept-268 -j ACCEPT
--A logaccept-269 -j TEE --gateway 10.0.0.1
--A logaccept-269 -j TEE --gateway 10.0.0.2
--A logaccept-269 -j ACCEPT
--A logaccept-270 -m limit --limit 12/minute -j ULOG
--A logaccept-270 -j ACCEPT
-A logaccept-3 -m limit --limit 12/minute -j ULOG
-A logaccept-3 -j ACCEPT
-A logaccept-32 -m limit --limit 1/second -j LOG
@@ -12450,17 +12132,6 @@ hash:net family inet
-A logaccept-98 -j ACCEPT
-A logaccept-99 -m limit --limit 12/minute -j ULOG
-A logaccept-99 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -m limit --limit 12/minute -j ULOG
-A logpass-10 -m limit --limit 12/minute -j ULOG
@@ -12535,12 +12206,7 @@ hash:net family inet
-A logpass-164 -m limit --limit 12/minute -j ULOG
-A logpass-165 -m limit --limit 1/second -j LOG
-A logpass-166 -m limit --limit 12/minute -j ULOG
--A logpass-167 -m limit --limit 1/second -j LOG
--A logpass-168 -j LOG
--A logpass-169 -j TEE --gateway 10.0.0.1
--A logpass-169 -j TEE --gateway 10.0.0.2
-A logpass-17 -m limit --limit 1/second -j LOG
--A logpass-170 -m limit --limit 12/minute -j ULOG
-A logpass-18 -m limit --limit 12/minute -j ULOG
-A logpass-19 -m limit --limit 1/second -j LOG
-A logpass-2 -m limit --limit 1/second -j LOG
@@ -12840,11 +12506,7 @@ COMMIT
:logaccept-233 - [0:0]
:logaccept-234 - [0:0]
:logaccept-26 - [0:0]
-:logaccept-267 - [0:0]
-:logaccept-268 - [0:0]
-:logaccept-269 - [0:0]
:logaccept-27 - [0:0]
-:logaccept-270 - [0:0]
:logaccept-28 - [0:0]
:logaccept-29 - [0:0]
:logaccept-30 - [0:0]
@@ -12879,11 +12541,6 @@ COMMIT
:logaccept-88 - [0:0]
:logaccept-89 - [0:0]
:logaccept-9 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
:logpass-0 - [0:0]
:logpass-109 - [0:0]
:logpass-115 - [0:0]
@@ -12891,9 +12548,6 @@ COMMIT
:logpass-130 - [0:0]
:logpass-136 - [0:0]
:logpass-137 - [0:0]
-:logpass-167 - [0:0]
-:logpass-168 - [0:0]
-:logpass-169 - [0:0]
:logpass-25 - [0:0]
:logpass-26 - [0:0]
:logpass-27 - [0:0]
@@ -13185,26 +12839,6 @@ COMMIT
-A FORWARD -i eth1 -s fc00::/7 -j address-380
-A FORWARD -i eth1 -s fc00::/7 -j address-381
-A FORWARD -i eth1 -s fc00::/7 -j address-382
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-267
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-167
--A FORWARD -j logaccept-268
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-168
--A FORWARD -j logaccept-269
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-169
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-270
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -13416,26 +13050,6 @@ COMMIT
-A INPUT -i eth1 -s fc00::/7 -j address-380
-A INPUT -i eth1 -s fc00::/7 -j address-381
-A INPUT -i eth1 -s fc00::/7 -j address-382
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-267
--A INPUT -j logdrop-1
--A INPUT -j logpass-167
--A INPUT -j logaccept-268
--A INPUT -j logdrop-2
--A INPUT -j logpass-168
--A INPUT -j logaccept-269
--A INPUT -j logdrop-3
--A INPUT -j logpass-169
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-270
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
@@ -13532,26 +13146,6 @@ COMMIT
-A OUTPUT -o eth1 -d fc00::/7 -j address-93
-A OUTPUT -o eth1 -d fc00::/7 -j address-94
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-267
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-167
--A OUTPUT -j logaccept-268
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-168
--A OUTPUT -j logaccept-269
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-169
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-270
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A address-108 -d fc00::2 -j ACCEPT
@@ -13769,15 +13363,7 @@ COMMIT
-A logaccept-234 -j ACCEPT
-A logaccept-26 -m limit --limit 1/second -j LOG
-A logaccept-26 -j ACCEPT
--A logaccept-267 -m limit --limit 1/second -j LOG
--A logaccept-267 -j ACCEPT
--A logaccept-268 -j LOG
--A logaccept-268 -j TEE --gateway fc00::1
--A logaccept-268 -j ACCEPT
--A logaccept-269 -j TEE --gateway fc00::2
--A logaccept-269 -j ACCEPT
-A logaccept-27 -j ACCEPT
--A logaccept-270 -j ACCEPT
-A logaccept-28 -m limit --limit 1/second -j LOG
-A logaccept-28 -j ACCEPT
-A logaccept-29 -j ACCEPT
@@ -13831,16 +13417,6 @@ COMMIT
-A logaccept-88 -j ACCEPT
-A logaccept-89 -j ACCEPT
-A logaccept-9 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-109 -m limit --limit 1/second -j LOG
-A logpass-115 -m limit --limit 1/second -j LOG
@@ -13848,10 +13424,6 @@ COMMIT
-A logpass-130 -m limit --limit 1/second -j LOG
-A logpass-136 -m limit --limit 1/second -j LOG
-A logpass-137 -m limit --limit 1/second -j LOG
--A logpass-167 -m limit --limit 1/second -j LOG
--A logpass-168 -j LOG
--A logpass-168 -j TEE --gateway fc00::1
--A logpass-169 -j TEE --gateway fc00::2
-A logpass-25 -m limit --limit 1/second -j LOG
-A logpass-26 -m limit --limit 1/second -j LOG
-A logpass-27 -m limit --limit 1/second -j LOG
diff --git a/test/output/address/rules-save b/test/output/address/rules-save
index d591002..4639029 100644
--- a/test/output/address/rules-save
+++ b/test/output/address/rules-save
@@ -543,10 +543,6 @@
:logaccept-264 - [0:0]
:logaccept-265 - [0:0]
:logaccept-266 - [0:0]
-:logaccept-267 - [0:0]
-:logaccept-268 - [0:0]
-:logaccept-269 - [0:0]
-:logaccept-270 - [0:0]
:logaccept-3 - [0:0]
:logaccept-32 - [0:0]
:logaccept-33 - [0:0]
@@ -610,11 +606,6 @@
:logaccept-97 - [0:0]
:logaccept-98 - [0:0]
:logaccept-99 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-10 - [0:0]
@@ -689,11 +680,7 @@
:logpass-164 - [0:0]
:logpass-165 - [0:0]
:logpass-166 - [0:0]
-:logpass-167 - [0:0]
-:logpass-168 - [0:0]
-:logpass-169 - [0:0]
:logpass-17 - [0:0]
-:logpass-170 - [0:0]
:logpass-18 - [0:0]
:logpass-19 - [0:0]
:logpass-2 - [0:0]
@@ -1878,27 +1865,6 @@
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-472
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-473
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-473
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-267
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-167
--A FORWARD -j logaccept-268
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-168
--A FORWARD -j logaccept-269
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-169
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-270
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-170
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -2664,27 +2630,6 @@
-A INPUT -i eth1 -s 10.0.0.0/12 -j address-383
-A INPUT -i eth2 -s 10.1.0.0/12 -j address-383
-A INPUT -i eth3 -s 10.1.0.0/12 -j address-383
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-267
--A INPUT -j logdrop-1
--A INPUT -j logpass-167
--A INPUT -j logaccept-268
--A INPUT -j logdrop-2
--A INPUT -j logpass-168
--A INPUT -j logaccept-269
--A INPUT -j logdrop-3
--A INPUT -j logpass-169
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-270
--A INPUT -j logdrop-4
--A INPUT -j logpass-170
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
@@ -2942,27 +2887,6 @@
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j address-93
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j address-94
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j address-95
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-267
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-167
--A OUTPUT -j logaccept-268
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-168
--A OUTPUT -j logaccept-269
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-169
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-270
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-170
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -3916,15 +3840,6 @@
-A logaccept-265 -j ACCEPT
-A logaccept-266 -m limit --limit 12/minute -j ULOG
-A logaccept-266 -j ACCEPT
--A logaccept-267 -m limit --limit 1/second -j LOG
--A logaccept-267 -j ACCEPT
--A logaccept-268 -j LOG
--A logaccept-268 -j ACCEPT
--A logaccept-269 -j TEE --gateway 10.0.0.1
--A logaccept-269 -j TEE --gateway 10.0.0.2
--A logaccept-269 -j ACCEPT
--A logaccept-270 -m limit --limit 12/minute -j ULOG
--A logaccept-270 -j ACCEPT
-A logaccept-3 -m limit --limit 12/minute -j ULOG
-A logaccept-3 -j ACCEPT
-A logaccept-32 -m limit --limit 1/second -j LOG
@@ -4051,17 +3966,6 @@
-A logaccept-98 -j ACCEPT
-A logaccept-99 -m limit --limit 12/minute -j ULOG
-A logaccept-99 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -m limit --limit 12/minute -j ULOG
-A logpass-10 -m limit --limit 12/minute -j ULOG
@@ -4136,12 +4040,7 @@
-A logpass-164 -m limit --limit 12/minute -j ULOG
-A logpass-165 -m limit --limit 1/second -j LOG
-A logpass-166 -m limit --limit 12/minute -j ULOG
--A logpass-167 -m limit --limit 1/second -j LOG
--A logpass-168 -j LOG
--A logpass-169 -j TEE --gateway 10.0.0.1
--A logpass-169 -j TEE --gateway 10.0.0.2
-A logpass-17 -m limit --limit 1/second -j LOG
--A logpass-170 -m limit --limit 12/minute -j ULOG
-A logpass-18 -m limit --limit 12/minute -j ULOG
-A logpass-19 -m limit --limit 1/second -j LOG
-A logpass-2 -m limit --limit 1/second -j LOG
diff --git a/test/output/address/rules6-save b/test/output/address/rules6-save
index 47efb3c..4150949 100644
--- a/test/output/address/rules6-save
+++ b/test/output/address/rules6-save
@@ -180,11 +180,7 @@
:logaccept-233 - [0:0]
:logaccept-234 - [0:0]
:logaccept-26 - [0:0]
-:logaccept-267 - [0:0]
-:logaccept-268 - [0:0]
-:logaccept-269 - [0:0]
:logaccept-27 - [0:0]
-:logaccept-270 - [0:0]
:logaccept-28 - [0:0]
:logaccept-29 - [0:0]
:logaccept-30 - [0:0]
@@ -219,11 +215,6 @@
:logaccept-88 - [0:0]
:logaccept-89 - [0:0]
:logaccept-9 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
:logpass-0 - [0:0]
:logpass-109 - [0:0]
:logpass-115 - [0:0]
@@ -231,9 +222,6 @@
:logpass-130 - [0:0]
:logpass-136 - [0:0]
:logpass-137 - [0:0]
-:logpass-167 - [0:0]
-:logpass-168 - [0:0]
-:logpass-169 - [0:0]
:logpass-25 - [0:0]
:logpass-26 - [0:0]
:logpass-27 - [0:0]
@@ -525,26 +513,6 @@
-A FORWARD -i eth1 -s fc00::/7 -j address-380
-A FORWARD -i eth1 -s fc00::/7 -j address-381
-A FORWARD -i eth1 -s fc00::/7 -j address-382
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-267
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-167
--A FORWARD -j logaccept-268
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-168
--A FORWARD -j logaccept-269
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-169
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-270
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -756,26 +724,6 @@
-A INPUT -i eth1 -s fc00::/7 -j address-380
-A INPUT -i eth1 -s fc00::/7 -j address-381
-A INPUT -i eth1 -s fc00::/7 -j address-382
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-267
--A INPUT -j logdrop-1
--A INPUT -j logpass-167
--A INPUT -j logaccept-268
--A INPUT -j logdrop-2
--A INPUT -j logpass-168
--A INPUT -j logaccept-269
--A INPUT -j logdrop-3
--A INPUT -j logpass-169
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-270
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
@@ -872,26 +820,6 @@
-A OUTPUT -o eth1 -d fc00::/7 -j address-93
-A OUTPUT -o eth1 -d fc00::/7 -j address-94
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-267
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-167
--A OUTPUT -j logaccept-268
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-168
--A OUTPUT -j logaccept-269
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-169
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-270
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A address-108 -d fc00::2 -j ACCEPT
@@ -1109,15 +1037,7 @@
-A logaccept-234 -j ACCEPT
-A logaccept-26 -m limit --limit 1/second -j LOG
-A logaccept-26 -j ACCEPT
--A logaccept-267 -m limit --limit 1/second -j LOG
--A logaccept-267 -j ACCEPT
--A logaccept-268 -j LOG
--A logaccept-268 -j TEE --gateway fc00::1
--A logaccept-268 -j ACCEPT
--A logaccept-269 -j TEE --gateway fc00::2
--A logaccept-269 -j ACCEPT
-A logaccept-27 -j ACCEPT
--A logaccept-270 -j ACCEPT
-A logaccept-28 -m limit --limit 1/second -j LOG
-A logaccept-28 -j ACCEPT
-A logaccept-29 -j ACCEPT
@@ -1171,16 +1091,6 @@
-A logaccept-88 -j ACCEPT
-A logaccept-89 -j ACCEPT
-A logaccept-9 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-109 -m limit --limit 1/second -j LOG
-A logpass-115 -m limit --limit 1/second -j LOG
@@ -1188,10 +1098,6 @@
-A logpass-130 -m limit --limit 1/second -j LOG
-A logpass-136 -m limit --limit 1/second -j LOG
-A logpass-137 -m limit --limit 1/second -j LOG
--A logpass-167 -m limit --limit 1/second -j LOG
--A logpass-168 -j LOG
--A logpass-168 -j TEE --gateway fc00::1
--A logpass-169 -j TEE --gateway fc00::2
-A logpass-25 -m limit --limit 1/second -j LOG
-A logpass-26 -m limit --limit 1/second -j LOG
-A logpass-27 -m limit --limit 1/second -j LOG
diff --git a/test/output/custom/dump b/test/output/custom/dump
index 998dcce..67c6316 100644
--- a/test/output/custom/dump
+++ b/test/output/custom/dump
@@ -17,350 +17,117 @@ Dnat 3 {"in":"B"}
inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-Filter 1 {"match":"-m owner --uid-owner 0","out":"A"}
-(custom)
- inet/filter/FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT
- inet/filter/OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
- inet6/filter/FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT
- inet6/filter/OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
-
-Filter 2 {"action":"custom:foo","in":"B"}
-(custom)
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -j custom:foo
- inet/filter/INPUT -i eth1 -s 10.0.0.0/12 -j custom:foo
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -j custom:foo
- inet6/filter/INPUT -i eth1 -s fc00::/7 -j custom:foo
-
-Filter 3 {}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 4 {"action":"drop"}
-(log)
- inet/filter/FORWARD -j logdrop-0
- inet/filter/INPUT -j logdrop-0
- inet/filter/OUTPUT -j logdrop-0
- inet/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-0 -j DROP
- inet6/filter/FORWARD -j logdrop-0
- inet6/filter/INPUT -j logdrop-0
- inet6/filter/OUTPUT -j logdrop-0
- inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-0 -j DROP
-
-Filter 5 {"action":"pass"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 6 {"log":false}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 7 {"action":"drop","log":false}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 8 {"action":"pass","log":false}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 9 {"log":true}
-(log)
- inet/filter/FORWARD -j logaccept-0
- inet/filter/INPUT -j logaccept-0
- inet/filter/OUTPUT -j logaccept-0
- inet/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet/filter/logaccept-0 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-0
- inet6/filter/INPUT -j logaccept-0
- inet6/filter/OUTPUT -j logaccept-0
- inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet6/filter/logaccept-0 -j ACCEPT
-
-Filter 10 {"action":"drop","log":true}
-(log)
- inet/filter/FORWARD -j logdrop-1
- inet/filter/INPUT -j logdrop-1
- inet/filter/OUTPUT -j logdrop-1
- inet/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-1 -j DROP
- inet6/filter/FORWARD -j logdrop-1
- inet6/filter/INPUT -j logdrop-1
- inet6/filter/OUTPUT -j logdrop-1
- inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-1 -j DROP
-
-Filter 11 {"action":"pass","log":true}
-(log)
- inet/filter/FORWARD -j logpass-0
- inet/filter/INPUT -j logpass-0
- inet/filter/OUTPUT -j logpass-0
- inet/filter/logpass-0 -m limit --limit 1/second -j LOG
- inet6/filter/FORWARD -j logpass-0
- inet6/filter/INPUT -j logpass-0
- inet6/filter/OUTPUT -j logpass-0
- inet6/filter/logpass-0 -m limit --limit 1/second -j LOG
-
-Filter 12 {"log":"dual"}
-(log)
- inet/filter/FORWARD -j logaccept-1
- inet/filter/INPUT -j logaccept-1
- inet/filter/OUTPUT -j logaccept-1
- inet/filter/logaccept-1 -j LOG
- inet/filter/logaccept-1 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-1
- inet6/filter/INPUT -j logaccept-1
- inet6/filter/OUTPUT -j logaccept-1
- inet6/filter/logaccept-1 -j LOG
- inet6/filter/logaccept-1 -j TEE --gateway fc00::1
- inet6/filter/logaccept-1 -j ACCEPT
-
-Filter 13 {"action":"drop","log":"dual"}
-(log)
- inet/filter/FORWARD -j logdrop-2
- inet/filter/INPUT -j logdrop-2
- inet/filter/OUTPUT -j logdrop-2
- inet/filter/logdrop-2 -j LOG
- inet/filter/logdrop-2 -j DROP
- inet6/filter/FORWARD -j logdrop-2
- inet6/filter/INPUT -j logdrop-2
- inet6/filter/OUTPUT -j logdrop-2
- inet6/filter/logdrop-2 -j LOG
- inet6/filter/logdrop-2 -j TEE --gateway fc00::1
- inet6/filter/logdrop-2 -j DROP
-
-Filter 14 {"action":"pass","log":"dual"}
-(log)
- inet/filter/FORWARD -j logpass-1
- inet/filter/INPUT -j logpass-1
- inet/filter/OUTPUT -j logpass-1
- inet/filter/logpass-1 -j LOG
- inet6/filter/FORWARD -j logpass-1
- inet6/filter/INPUT -j logpass-1
- inet6/filter/OUTPUT -j logpass-1
- inet6/filter/logpass-1 -j LOG
- inet6/filter/logpass-1 -j TEE --gateway fc00::1
-
-Filter 15 {"log":"mirror"}
-(log)
- inet/filter/FORWARD -j logaccept-2
- inet/filter/INPUT -j logaccept-2
- inet/filter/OUTPUT -j logaccept-2
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2
- inet/filter/logaccept-2 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-2
- inet6/filter/INPUT -j logaccept-2
- inet6/filter/OUTPUT -j logaccept-2
- inet6/filter/logaccept-2 -j TEE --gateway fc00::2
- inet6/filter/logaccept-2 -j ACCEPT
-
-Filter 16 {"action":"drop","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logdrop-3
- inet/filter/INPUT -j logdrop-3
- inet/filter/OUTPUT -j logdrop-3
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2
- inet/filter/logdrop-3 -j DROP
- inet6/filter/FORWARD -j logdrop-3
- inet6/filter/INPUT -j logdrop-3
- inet6/filter/OUTPUT -j logdrop-3
- inet6/filter/logdrop-3 -j TEE --gateway fc00::2
- inet6/filter/logdrop-3 -j DROP
-
-Filter 17 {"action":"pass","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logpass-2
- inet/filter/INPUT -j logpass-2
- inet/filter/OUTPUT -j logpass-2
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.1
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.2
- inet6/filter/FORWARD -j logpass-2
- inet6/filter/INPUT -j logpass-2
- inet6/filter/OUTPUT -j logpass-2
- inet6/filter/logpass-2 -j TEE --gateway fc00::2
-
-Filter 18 {"log":"none"}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 19 {"action":"drop","log":"none"}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 20 {"action":"pass","log":"none"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 21 {"log":"ulog"}
-(log)
- inet/filter/FORWARD -j logaccept-3
- inet/filter/INPUT -j logaccept-3
- inet/filter/OUTPUT -j logaccept-3
- inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG
- inet/filter/logaccept-3 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-3
- inet6/filter/INPUT -j logaccept-3
- inet6/filter/OUTPUT -j logaccept-3
- inet6/filter/logaccept-3 -j ACCEPT
-
-Filter 22 {"action":"drop","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logdrop-4
- inet/filter/INPUT -j logdrop-4
- inet/filter/OUTPUT -j logdrop-4
- inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG
- inet/filter/logdrop-4 -j DROP
- inet6/filter/FORWARD -j logdrop-4
- inet6/filter/INPUT -j logdrop-4
- inet6/filter/OUTPUT -j logdrop-4
- inet6/filter/logdrop-4 -j DROP
-
-Filter 23 {"action":"pass","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logpass-3
- inet/filter/INPUT -j logpass-3
- inet/filter/OUTPUT -j logpass-3
- inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG
-
-Filter 24 {"action":"pass","in":"_fw","log":"ulog"}
-(log)
- inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-
-Filter 25 {"in":["_fw","A"]}
-(zone)
- inet/filter/FORWARD -i eth0 -j ACCEPT
- inet/filter/INPUT -i eth0 -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -i eth0 -j ACCEPT
- inet6/filter/INPUT -i eth0 -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 26 {"in":"B","out":"C"}
-(zone)
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+Filter 1 {"match":"-m owner --uid-owner 0","out":"A"}
+(custom)
+ inet/filter/FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT
+ inet/filter/OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
+ inet6/filter/FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT
+ inet6/filter/OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
+
+Filter 2 {"action":"custom:foo","in":"B"}
+(custom)
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -j custom:foo
+ inet/filter/INPUT -i eth1 -s 10.0.0.0/12 -j custom:foo
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -j custom:foo
+ inet6/filter/INPUT -i eth1 -s fc00::/7 -j custom:foo
+
+Filter 3 {"action":"pass","in":"_fw","log":"ulog"}
+(log)
+ inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
+
+Filter 4 {"in":["_fw","A"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -j ACCEPT
+ inet/filter/INPUT -i eth0 -j ACCEPT
+ inet/filter/OUTPUT -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -j ACCEPT
+ inet6/filter/INPUT -i eth0 -j ACCEPT
+ inet6/filter/OUTPUT -j ACCEPT
+
+Filter 5 {"in":"B","out":"C"}
+(zone)
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-Filter 27 {"out":["_fw","B"]}
-(zone)
- inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-
-Filter 28 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
-(zone)
- inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+Filter 6 {"out":["_fw","B"]}
+(zone)
+ inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/INPUT -j ACCEPT
+ inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/INPUT -j ACCEPT
+ inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+
+Filter 7 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
Ipset awall-masquerade {"family":"inet","type":"hash:net"}
@@ -701,43 +468,9 @@ hash:net family inet
:OUTPUT DROP [0:0]
:custom:foo - [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -j custom:foo
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -796,54 +529,12 @@ hash:net family inet
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -s 10.0.0.0/12 -j custom:foo
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -852,31 +543,6 @@ hash:net family inet
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
@@ -924,41 +590,9 @@ COMMIT
:OUTPUT DROP [0:0]
:custom:foo - [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A FORWARD -i eth1 -s fc00::/7 -j custom:foo
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -991,26 +625,6 @@ COMMIT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -s fc00::/7 -j custom:foo
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
@@ -1018,26 +632,6 @@ COMMIT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A custom:foo -m hl --hl-lt 7 -j REJECT --reject-with icmpv6-no-route
@@ -1046,28 +640,6 @@ COMMIT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/custom/rules-save b/test/output/custom/rules-save
index 2265a93..4a84d7d 100644
--- a/test/output/custom/rules-save
+++ b/test/output/custom/rules-save
@@ -5,43 +5,9 @@
:OUTPUT DROP [0:0]
:custom:foo - [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -j custom:foo
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -100,54 +66,12 @@
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -s 10.0.0.0/12 -j custom:foo
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -156,31 +80,6 @@
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
diff --git a/test/output/custom/rules6-save b/test/output/custom/rules6-save
index 6069e82..b484c3f 100644
--- a/test/output/custom/rules6-save
+++ b/test/output/custom/rules6-save
@@ -5,41 +5,9 @@
:OUTPUT DROP [0:0]
:custom:foo - [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A FORWARD -i eth1 -s fc00::/7 -j custom:foo
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -72,26 +40,6 @@
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -s fc00::/7 -j custom:foo
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
@@ -99,26 +47,6 @@
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A custom:foo -m hl --hl-lt 7 -j REJECT --reject-with icmpv6-no-route
@@ -127,28 +55,6 @@
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/dedicated/dump b/test/output/dedicated/dump
index 07316b6..a58ef41 100644
--- a/test/output/dedicated/dump
+++ b/test/output/dedicated/dump
@@ -12,336 +12,103 @@ Dnat 2 {"in":"B"}
inet/nat/awall-PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-Filter 1 {}
-(log)
- inet/filter/awall-FORWARD -j ACCEPT
- inet/filter/awall-INPUT -j ACCEPT
- inet/filter/awall-OUTPUT -j ACCEPT
- inet6/filter/awall-FORWARD -j ACCEPT
- inet6/filter/awall-INPUT -j ACCEPT
- inet6/filter/awall-OUTPUT -j ACCEPT
-
-Filter 2 {"action":"drop"}
-(log)
- inet/filter/awall-FORWARD -j awall-logdrop-0
- inet/filter/awall-INPUT -j awall-logdrop-0
- inet/filter/awall-OUTPUT -j awall-logdrop-0
- inet/filter/awall-logdrop-0 -m limit --limit 1/second -j LOG
- inet/filter/awall-logdrop-0 -j DROP
- inet6/filter/awall-FORWARD -j awall-logdrop-0
- inet6/filter/awall-INPUT -j awall-logdrop-0
- inet6/filter/awall-OUTPUT -j awall-logdrop-0
- inet6/filter/awall-logdrop-0 -m limit --limit 1/second -j LOG
- inet6/filter/awall-logdrop-0 -j DROP
-
-Filter 3 {"action":"pass"}
-(log)
- inet/filter/awall-FORWARD
- inet/filter/awall-INPUT
- inet/filter/awall-OUTPUT
- inet6/filter/awall-FORWARD
- inet6/filter/awall-INPUT
- inet6/filter/awall-OUTPUT
-
-Filter 4 {"log":false}
-(log)
- inet/filter/awall-FORWARD -j ACCEPT
- inet/filter/awall-INPUT -j ACCEPT
- inet/filter/awall-OUTPUT -j ACCEPT
- inet6/filter/awall-FORWARD -j ACCEPT
- inet6/filter/awall-INPUT -j ACCEPT
- inet6/filter/awall-OUTPUT -j ACCEPT
-
-Filter 5 {"action":"drop","log":false}
-(log)
- inet/filter/awall-FORWARD -j DROP
- inet/filter/awall-INPUT -j DROP
- inet/filter/awall-OUTPUT -j DROP
- inet6/filter/awall-FORWARD -j DROP
- inet6/filter/awall-INPUT -j DROP
- inet6/filter/awall-OUTPUT -j DROP
-
-Filter 6 {"action":"pass","log":false}
-(log)
- inet/filter/awall-FORWARD
- inet/filter/awall-INPUT
- inet/filter/awall-OUTPUT
- inet6/filter/awall-FORWARD
- inet6/filter/awall-INPUT
- inet6/filter/awall-OUTPUT
-
-Filter 7 {"log":true}
-(log)
- inet/filter/awall-FORWARD -j awall-logaccept-0
- inet/filter/awall-INPUT -j awall-logaccept-0
- inet/filter/awall-OUTPUT -j awall-logaccept-0
- inet/filter/awall-logaccept-0 -m limit --limit 1/second -j LOG
- inet/filter/awall-logaccept-0 -j ACCEPT
- inet6/filter/awall-FORWARD -j awall-logaccept-0
- inet6/filter/awall-INPUT -j awall-logaccept-0
- inet6/filter/awall-OUTPUT -j awall-logaccept-0
- inet6/filter/awall-logaccept-0 -m limit --limit 1/second -j LOG
- inet6/filter/awall-logaccept-0 -j ACCEPT
-
-Filter 8 {"action":"drop","log":true}
-(log)
- inet/filter/awall-FORWARD -j awall-logdrop-1
- inet/filter/awall-INPUT -j awall-logdrop-1
- inet/filter/awall-OUTPUT -j awall-logdrop-1
- inet/filter/awall-logdrop-1 -m limit --limit 1/second -j LOG
- inet/filter/awall-logdrop-1 -j DROP
- inet6/filter/awall-FORWARD -j awall-logdrop-1
- inet6/filter/awall-INPUT -j awall-logdrop-1
- inet6/filter/awall-OUTPUT -j awall-logdrop-1
- inet6/filter/awall-logdrop-1 -m limit --limit 1/second -j LOG
- inet6/filter/awall-logdrop-1 -j DROP
-
-Filter 9 {"action":"pass","log":true}
-(log)
- inet/filter/awall-FORWARD -j awall-logpass-0
- inet/filter/awall-INPUT -j awall-logpass-0
- inet/filter/awall-OUTPUT -j awall-logpass-0
- inet/filter/awall-logpass-0 -m limit --limit 1/second -j LOG
- inet6/filter/awall-FORWARD -j awall-logpass-0
- inet6/filter/awall-INPUT -j awall-logpass-0
- inet6/filter/awall-OUTPUT -j awall-logpass-0
- inet6/filter/awall-logpass-0 -m limit --limit 1/second -j LOG
-
-Filter 10 {"log":"dual"}
-(log)
- inet/filter/awall-FORWARD -j awall-logaccept-1
- inet/filter/awall-INPUT -j awall-logaccept-1
- inet/filter/awall-OUTPUT -j awall-logaccept-1
- inet/filter/awall-logaccept-1 -j LOG
- inet/filter/awall-logaccept-1 -j ACCEPT
- inet6/filter/awall-FORWARD -j awall-logaccept-1
- inet6/filter/awall-INPUT -j awall-logaccept-1
- inet6/filter/awall-OUTPUT -j awall-logaccept-1
- inet6/filter/awall-logaccept-1 -j LOG
- inet6/filter/awall-logaccept-1 -j TEE --gateway fc00::1
- inet6/filter/awall-logaccept-1 -j ACCEPT
-
-Filter 11 {"action":"drop","log":"dual"}
-(log)
- inet/filter/awall-FORWARD -j awall-logdrop-2
- inet/filter/awall-INPUT -j awall-logdrop-2
- inet/filter/awall-OUTPUT -j awall-logdrop-2
- inet/filter/awall-logdrop-2 -j LOG
- inet/filter/awall-logdrop-2 -j DROP
- inet6/filter/awall-FORWARD -j awall-logdrop-2
- inet6/filter/awall-INPUT -j awall-logdrop-2
- inet6/filter/awall-OUTPUT -j awall-logdrop-2
- inet6/filter/awall-logdrop-2 -j LOG
- inet6/filter/awall-logdrop-2 -j TEE --gateway fc00::1
- inet6/filter/awall-logdrop-2 -j DROP
-
-Filter 12 {"action":"pass","log":"dual"}
-(log)
- inet/filter/awall-FORWARD -j awall-logpass-1
- inet/filter/awall-INPUT -j awall-logpass-1
- inet/filter/awall-OUTPUT -j awall-logpass-1
- inet/filter/awall-logpass-1 -j LOG
- inet6/filter/awall-FORWARD -j awall-logpass-1
- inet6/filter/awall-INPUT -j awall-logpass-1
- inet6/filter/awall-OUTPUT -j awall-logpass-1
- inet6/filter/awall-logpass-1 -j LOG
- inet6/filter/awall-logpass-1 -j TEE --gateway fc00::1
-
-Filter 13 {"log":"mirror"}
-(log)
- inet/filter/awall-FORWARD -j awall-logaccept-2
- inet/filter/awall-INPUT -j awall-logaccept-2
- inet/filter/awall-OUTPUT -j awall-logaccept-2
- inet/filter/awall-logaccept-2 -j TEE --gateway 10.0.0.1
- inet/filter/awall-logaccept-2 -j TEE --gateway 10.0.0.2
- inet/filter/awall-logaccept-2 -j ACCEPT
- inet6/filter/awall-FORWARD -j awall-logaccept-2
- inet6/filter/awall-INPUT -j awall-logaccept-2
- inet6/filter/awall-OUTPUT -j awall-logaccept-2
- inet6/filter/awall-logaccept-2 -j TEE --gateway fc00::2
- inet6/filter/awall-logaccept-2 -j ACCEPT
-
-Filter 14 {"action":"drop","log":"mirror"}
-(log)
- inet/filter/awall-FORWARD -j awall-logdrop-3
- inet/filter/awall-INPUT -j awall-logdrop-3
- inet/filter/awall-OUTPUT -j awall-logdrop-3
- inet/filter/awall-logdrop-3 -j TEE --gateway 10.0.0.1
- inet/filter/awall-logdrop-3 -j TEE --gateway 10.0.0.2
- inet/filter/awall-logdrop-3 -j DROP
- inet6/filter/awall-FORWARD -j awall-logdrop-3
- inet6/filter/awall-INPUT -j awall-logdrop-3
- inet6/filter/awall-OUTPUT -j awall-logdrop-3
- inet6/filter/awall-logdrop-3 -j TEE --gateway fc00::2
- inet6/filter/awall-logdrop-3 -j DROP
-
-Filter 15 {"action":"pass","log":"mirror"}
-(log)
- inet/filter/awall-FORWARD -j awall-logpass-2
- inet/filter/awall-INPUT -j awall-logpass-2
- inet/filter/awall-OUTPUT -j awall-logpass-2
- inet/filter/awall-logpass-2 -j TEE --gateway 10.0.0.1
- inet/filter/awall-logpass-2 -j TEE --gateway 10.0.0.2
- inet6/filter/awall-FORWARD -j awall-logpass-2
- inet6/filter/awall-INPUT -j awall-logpass-2
- inet6/filter/awall-OUTPUT -j awall-logpass-2
- inet6/filter/awall-logpass-2 -j TEE --gateway fc00::2
-
-Filter 16 {"log":"none"}
-(log)
- inet/filter/awall-FORWARD -j ACCEPT
- inet/filter/awall-INPUT -j ACCEPT
- inet/filter/awall-OUTPUT -j ACCEPT
- inet6/filter/awall-FORWARD -j ACCEPT
- inet6/filter/awall-INPUT -j ACCEPT
- inet6/filter/awall-OUTPUT -j ACCEPT
-
-Filter 17 {"action":"drop","log":"none"}
-(log)
- inet/filter/awall-FORWARD -j DROP
- inet/filter/awall-INPUT -j DROP
- inet/filter/awall-OUTPUT -j DROP
- inet6/filter/awall-FORWARD -j DROP
- inet6/filter/awall-INPUT -j DROP
- inet6/filter/awall-OUTPUT -j DROP
-
-Filter 18 {"action":"pass","log":"none"}
-(log)
- inet/filter/awall-FORWARD
- inet/filter/awall-INPUT
- inet/filter/awall-OUTPUT
- inet6/filter/awall-FORWARD
- inet6/filter/awall-INPUT
- inet6/filter/awall-OUTPUT
-
-Filter 19 {"log":"ulog"}
-(log)
- inet/filter/awall-FORWARD -j awall-logaccept-3
- inet/filter/awall-INPUT -j awall-logaccept-3
- inet/filter/awall-OUTPUT -j awall-logaccept-3
- inet/filter/awall-logaccept-3 -m limit --limit 12/minute -j ULOG
- inet/filter/awall-logaccept-3 -j ACCEPT
- inet6/filter/awall-FORWARD -j awall-logaccept-3
- inet6/filter/awall-INPUT -j awall-logaccept-3
- inet6/filter/awall-OUTPUT -j awall-logaccept-3
- inet6/filter/awall-logaccept-3 -j ACCEPT
-
-Filter 20 {"action":"drop","log":"ulog"}
-(log)
- inet/filter/awall-FORWARD -j awall-logdrop-4
- inet/filter/awall-INPUT -j awall-logdrop-4
- inet/filter/awall-OUTPUT -j awall-logdrop-4
- inet/filter/awall-logdrop-4 -m limit --limit 12/minute -j ULOG
- inet/filter/awall-logdrop-4 -j DROP
- inet6/filter/awall-FORWARD -j awall-logdrop-4
- inet6/filter/awall-INPUT -j awall-logdrop-4
- inet6/filter/awall-OUTPUT -j awall-logdrop-4
- inet6/filter/awall-logdrop-4 -j DROP
-
-Filter 21 {"action":"pass","log":"ulog"}
-(log)
- inet/filter/awall-FORWARD -j awall-logpass-3
- inet/filter/awall-INPUT -j awall-logpass-3
- inet/filter/awall-OUTPUT -j awall-logpass-3
- inet/filter/awall-logpass-3 -m limit --limit 12/minute -j ULOG
-
-Filter 22 {"action":"pass","in":"_fw","log":"ulog"}
-(log)
- inet/filter/awall-OUTPUT -m limit --limit 12/minute -j ULOG
-
-Filter 23 {"in":["_fw","A"]}
-(zone)
- inet/filter/awall-FORWARD -i eth0 -j ACCEPT
- inet/filter/awall-INPUT -i eth0 -j ACCEPT
- inet/filter/awall-OUTPUT -j ACCEPT
- inet6/filter/awall-FORWARD -i eth0 -j ACCEPT
- inet6/filter/awall-INPUT -i eth0 -j ACCEPT
- inet6/filter/awall-OUTPUT -j ACCEPT
-
-Filter 24 {"in":"B","out":"C"}
-(zone)
- inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+Filter 1 {"action":"pass","in":"_fw","log":"ulog"}
+(log)
+ inet/filter/awall-OUTPUT -m limit --limit 12/minute -j ULOG
-Filter 25 {"out":["_fw","B"]}
-(zone)
- inet/filter/awall-FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/awall-INPUT -j ACCEPT
- inet/filter/awall-OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet6/filter/awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/awall-INPUT -j ACCEPT
- inet6/filter/awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-
-Filter 26 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
-(zone)
- inet/filter/awall-FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth0 -o eth4 -j ACCEPT
- inet/filter/awall-FORWARD -i eth0 -o eth5 -j ACCEPT
- inet/filter/awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
- inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
- inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
- inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/awall-FORWARD -i eth4 -o eth0 -j ACCEPT
- inet/filter/awall-FORWARD -i eth5 -o eth0 -j ACCEPT
- inet/filter/awall-FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -i eth4 -o eth4 -j ACCEPT
- inet/filter/awall-FORWARD -i eth4 -o eth5 -j ACCEPT
- inet/filter/awall-FORWARD -i eth5 -o eth4 -j ACCEPT
- inet/filter/awall-FORWARD -i eth5 -o eth5 -j ACCEPT
- inet/filter/awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth0 -o eth4 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth0 -o eth5 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/awall-FORWARD -i eth4 -o eth0 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth5 -o eth0 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth4 -o eth4 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth4 -o eth5 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth5 -o eth4 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth5 -o eth5 -j ACCEPT
- inet6/filter/awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+Filter 2 {"in":["_fw","A"]}
+(zone)
+ inet/filter/awall-FORWARD -i eth0 -j ACCEPT
+ inet/filter/awall-INPUT -i eth0 -j ACCEPT
+ inet/filter/awall-OUTPUT -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth0 -j ACCEPT
+ inet6/filter/awall-INPUT -i eth0 -j ACCEPT
+ inet6/filter/awall-OUTPUT -j ACCEPT
+
+Filter 3 {"in":"B","out":"C"}
+(zone)
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+
+Filter 4 {"out":["_fw","B"]}
+(zone)
+ inet/filter/awall-FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-INPUT -j ACCEPT
+ inet/filter/awall-OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet6/filter/awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/awall-INPUT -j ACCEPT
+ inet6/filter/awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+
+Filter 5 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+(zone)
+ inet/filter/awall-FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
Ipset awall-masquerade {"family":"inet","type":"hash:net"}
@@ -684,44 +451,10 @@ hash:net family inet
:awall-INPUT - [0:0]
:awall-OUTPUT - [0:0]
:awall-icmp-routing - [0:0]
-:awall-logaccept-0 - [0:0]
-:awall-logaccept-1 - [0:0]
-:awall-logaccept-2 - [0:0]
-:awall-logaccept-3 - [0:0]
-:awall-logdrop-0 - [0:0]
-:awall-logdrop-1 - [0:0]
-:awall-logdrop-2 - [0:0]
-:awall-logdrop-3 - [0:0]
-:awall-logdrop-4 - [0:0]
-:awall-logpass-0 - [0:0]
-:awall-logpass-1 - [0:0]
-:awall-logpass-2 - [0:0]
-:awall-logpass-3 - [0:0]
-A FORWARD -j awall-FORWARD
-A INPUT -j awall-INPUT
-A OUTPUT -j awall-OUTPUT
-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A awall-FORWARD -j ACCEPT
--A awall-FORWARD -j awall-logdrop-0
--A awall-FORWARD
--A awall-FORWARD -j ACCEPT
--A awall-FORWARD -j DROP
--A awall-FORWARD
--A awall-FORWARD -j awall-logaccept-0
--A awall-FORWARD -j awall-logdrop-1
--A awall-FORWARD -j awall-logpass-0
--A awall-FORWARD -j awall-logaccept-1
--A awall-FORWARD -j awall-logdrop-2
--A awall-FORWARD -j awall-logpass-1
--A awall-FORWARD -j awall-logaccept-2
--A awall-FORWARD -j awall-logdrop-3
--A awall-FORWARD -j awall-logpass-2
--A awall-FORWARD -j ACCEPT
--A awall-FORWARD -j DROP
--A awall-FORWARD
--A awall-FORWARD -j awall-logaccept-3
--A awall-FORWARD -j awall-logdrop-4
--A awall-FORWARD -j awall-logpass-3
-A awall-FORWARD -i eth0 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -779,53 +512,11 @@ hash:net family inet
-A awall-INPUT -m limit --limit 1/second -j LOG
-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-INPUT -i lo -j ACCEPT
--A awall-INPUT -j ACCEPT
--A awall-INPUT -j awall-logdrop-0
--A awall-INPUT
--A awall-INPUT -j ACCEPT
--A awall-INPUT -j DROP
--A awall-INPUT
--A awall-INPUT -j awall-logaccept-0
--A awall-INPUT -j awall-logdrop-1
--A awall-INPUT -j awall-logpass-0
--A awall-INPUT -j awall-logaccept-1
--A awall-INPUT -j awall-logdrop-2
--A awall-INPUT -j awall-logpass-1
--A awall-INPUT -j awall-logaccept-2
--A awall-INPUT -j awall-logdrop-3
--A awall-INPUT -j awall-logpass-2
--A awall-INPUT -j ACCEPT
--A awall-INPUT -j DROP
--A awall-INPUT
--A awall-INPUT -j awall-logaccept-3
--A awall-INPUT -j awall-logdrop-4
--A awall-INPUT -j awall-logpass-3
-A awall-INPUT -i eth0 -j ACCEPT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -p icmp -j awall-icmp-routing
-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-OUTPUT -o lo -j ACCEPT
--A awall-OUTPUT -j ACCEPT
--A awall-OUTPUT -j awall-logdrop-0
--A awall-OUTPUT
--A awall-OUTPUT -j ACCEPT
--A awall-OUTPUT -j DROP
--A awall-OUTPUT
--A awall-OUTPUT -j awall-logaccept-0
--A awall-OUTPUT -j awall-logdrop-1
--A awall-OUTPUT -j awall-logpass-0
--A awall-OUTPUT -j awall-logaccept-1
--A awall-OUTPUT -j awall-logdrop-2
--A awall-OUTPUT -j awall-logpass-1
--A awall-OUTPUT -j awall-logaccept-2
--A awall-OUTPUT -j awall-logdrop-3
--A awall-OUTPUT -j awall-logpass-2
--A awall-OUTPUT -j ACCEPT
--A awall-OUTPUT -j DROP
--A awall-OUTPUT
--A awall-OUTPUT -j awall-logaccept-3
--A awall-OUTPUT -j awall-logdrop-4
--A awall-OUTPUT -j awall-logpass-3
-A awall-OUTPUT -m limit --limit 12/minute -j ULOG
-A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -833,31 +524,6 @@ hash:net family inet
-A awall-icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A awall-icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A awall-icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A awall-logaccept-0 -m limit --limit 1/second -j LOG
--A awall-logaccept-0 -j ACCEPT
--A awall-logaccept-1 -j LOG
--A awall-logaccept-1 -j ACCEPT
--A awall-logaccept-2 -j TEE --gateway 10.0.0.1
--A awall-logaccept-2 -j TEE --gateway 10.0.0.2
--A awall-logaccept-2 -j ACCEPT
--A awall-logaccept-3 -m limit --limit 12/minute -j ULOG
--A awall-logaccept-3 -j ACCEPT
--A awall-logdrop-0 -m limit --limit 1/second -j LOG
--A awall-logdrop-0 -j DROP
--A awall-logdrop-1 -m limit --limit 1/second -j LOG
--A awall-logdrop-1 -j DROP
--A awall-logdrop-2 -j LOG
--A awall-logdrop-2 -j DROP
--A awall-logdrop-3 -j TEE --gateway 10.0.0.1
--A awall-logdrop-3 -j TEE --gateway 10.0.0.2
--A awall-logdrop-3 -j DROP
--A awall-logdrop-4 -m limit --limit 12/minute -j ULOG
--A awall-logdrop-4 -j DROP
--A awall-logpass-0 -m limit --limit 1/second -j LOG
--A awall-logpass-1 -j LOG
--A awall-logpass-2 -j TEE --gateway 10.0.0.1
--A awall-logpass-2 -j TEE --gateway 10.0.0.2
--A awall-logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
@@ -927,42 +593,10 @@ COMMIT
:awall-INPUT - [0:0]
:awall-OUTPUT - [0:0]
:awall-icmp-routing - [0:0]
-:awall-logaccept-0 - [0:0]
-:awall-logaccept-1 - [0:0]
-:awall-logaccept-2 - [0:0]
-:awall-logaccept-3 - [0:0]
-:awall-logdrop-0 - [0:0]
-:awall-logdrop-1 - [0:0]
-:awall-logdrop-2 - [0:0]
-:awall-logdrop-3 - [0:0]
-:awall-logdrop-4 - [0:0]
-:awall-logpass-0 - [0:0]
-:awall-logpass-1 - [0:0]
-:awall-logpass-2 - [0:0]
-A FORWARD -j awall-FORWARD
-A INPUT -j awall-INPUT
-A OUTPUT -j awall-OUTPUT
-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A awall-FORWARD -j ACCEPT
--A awall-FORWARD -j awall-logdrop-0
--A awall-FORWARD
--A awall-FORWARD -j ACCEPT
--A awall-FORWARD -j DROP
--A awall-FORWARD
--A awall-FORWARD -j awall-logaccept-0
--A awall-FORWARD -j awall-logdrop-1
--A awall-FORWARD -j awall-logpass-0
--A awall-FORWARD -j awall-logaccept-1
--A awall-FORWARD -j awall-logdrop-2
--A awall-FORWARD -j awall-logpass-1
--A awall-FORWARD -j awall-logaccept-2
--A awall-FORWARD -j awall-logdrop-3
--A awall-FORWARD -j awall-logpass-2
--A awall-FORWARD -j ACCEPT
--A awall-FORWARD -j DROP
--A awall-FORWARD
--A awall-FORWARD -j awall-logaccept-3
--A awall-FORWARD -j awall-logdrop-4
-A awall-FORWARD -i eth0 -j ACCEPT
-A awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -994,80 +628,18 @@ COMMIT
-A awall-INPUT -m limit --limit 1/second -j LOG
-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-INPUT -i lo -j ACCEPT
--A awall-INPUT -j ACCEPT
--A awall-INPUT -j awall-logdrop-0
--A awall-INPUT
--A awall-INPUT -j ACCEPT
--A awall-INPUT -j DROP
--A awall-INPUT
--A awall-INPUT -j awall-logaccept-0
--A awall-INPUT -j awall-logdrop-1
--A awall-INPUT -j awall-logpass-0
--A awall-INPUT -j awall-logaccept-1
--A awall-INPUT -j awall-logdrop-2
--A awall-INPUT -j awall-logpass-1
--A awall-INPUT -j awall-logaccept-2
--A awall-INPUT -j awall-logdrop-3
--A awall-INPUT -j awall-logpass-2
--A awall-INPUT -j ACCEPT
--A awall-INPUT -j DROP
--A awall-INPUT
--A awall-INPUT -j awall-logaccept-3
--A awall-INPUT -j awall-logdrop-4
-A awall-INPUT -i eth0 -j ACCEPT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -p icmpv6 -j ACCEPT
-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-OUTPUT -o lo -j ACCEPT
-A awall-OUTPUT -j ACCEPT
--A awall-OUTPUT -j awall-logdrop-0
--A awall-OUTPUT
--A awall-OUTPUT -j ACCEPT
--A awall-OUTPUT -j DROP
--A awall-OUTPUT
--A awall-OUTPUT -j awall-logaccept-0
--A awall-OUTPUT -j awall-logdrop-1
--A awall-OUTPUT -j awall-logpass-0
--A awall-OUTPUT -j awall-logaccept-1
--A awall-OUTPUT -j awall-logdrop-2
--A awall-OUTPUT -j awall-logpass-1
--A awall-OUTPUT -j awall-logaccept-2
--A awall-OUTPUT -j awall-logdrop-3
--A awall-OUTPUT -j awall-logpass-2
--A awall-OUTPUT -j ACCEPT
--A awall-OUTPUT -j DROP
--A awall-OUTPUT
--A awall-OUTPUT -j awall-logaccept-3
--A awall-OUTPUT -j awall-logdrop-4
--A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A awall-OUTPUT -p icmpv6 -j ACCEPT
-A awall-icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A awall-icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A awall-icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A awall-icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A awall-logaccept-0 -m limit --limit 1/second -j LOG
--A awall-logaccept-0 -j ACCEPT
--A awall-logaccept-1 -j LOG
--A awall-logaccept-1 -j TEE --gateway fc00::1
--A awall-logaccept-1 -j ACCEPT
--A awall-logaccept-2 -j TEE --gateway fc00::2
--A awall-logaccept-2 -j ACCEPT
--A awall-logaccept-3 -j ACCEPT
--A awall-logdrop-0 -m limit --limit 1/second -j LOG
--A awall-logdrop-0 -j DROP
--A awall-logdrop-1 -m limit --limit 1/second -j LOG
--A awall-logdrop-1 -j DROP
--A awall-logdrop-2 -j LOG
--A awall-logdrop-2 -j TEE --gateway fc00::1
--A awall-logdrop-2 -j DROP
--A awall-logdrop-3 -j TEE --gateway fc00::2
--A awall-logdrop-3 -j DROP
--A awall-logdrop-4 -j DROP
--A awall-logpass-0 -m limit --limit 1/second -j LOG
--A awall-logpass-1 -j LOG
--A awall-logpass-1 -j TEE --gateway fc00::1
--A awall-logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/dedicated/rules-save b/test/output/dedicated/rules-save
index 614ec46..e8ddbd8 100644
--- a/test/output/dedicated/rules-save
+++ b/test/output/dedicated/rules-save
@@ -7,44 +7,10 @@
:awall-INPUT - [0:0]
:awall-OUTPUT - [0:0]
:awall-icmp-routing - [0:0]
-:awall-logaccept-0 - [0:0]
-:awall-logaccept-1 - [0:0]
-:awall-logaccept-2 - [0:0]
-:awall-logaccept-3 - [0:0]
-:awall-logdrop-0 - [0:0]
-:awall-logdrop-1 - [0:0]
-:awall-logdrop-2 - [0:0]
-:awall-logdrop-3 - [0:0]
-:awall-logdrop-4 - [0:0]
-:awall-logpass-0 - [0:0]
-:awall-logpass-1 - [0:0]
-:awall-logpass-2 - [0:0]
-:awall-logpass-3 - [0:0]
-A FORWARD -j awall-FORWARD
-A INPUT -j awall-INPUT
-A OUTPUT -j awall-OUTPUT
-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A awall-FORWARD -j ACCEPT
--A awall-FORWARD -j awall-logdrop-0
--A awall-FORWARD
--A awall-FORWARD -j ACCEPT
--A awall-FORWARD -j DROP
--A awall-FORWARD
--A awall-FORWARD -j awall-logaccept-0
--A awall-FORWARD -j awall-logdrop-1
--A awall-FORWARD -j awall-logpass-0
--A awall-FORWARD -j awall-logaccept-1
--A awall-FORWARD -j awall-logdrop-2
--A awall-FORWARD -j awall-logpass-1
--A awall-FORWARD -j awall-logaccept-2
--A awall-FORWARD -j awall-logdrop-3
--A awall-FORWARD -j awall-logpass-2
--A awall-FORWARD -j ACCEPT
--A awall-FORWARD -j DROP
--A awall-FORWARD
--A awall-FORWARD -j awall-logaccept-3
--A awall-FORWARD -j awall-logdrop-4
--A awall-FORWARD -j awall-logpass-3
-A awall-FORWARD -i eth0 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -102,53 +68,11 @@
-A awall-INPUT -m limit --limit 1/second -j LOG
-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-INPUT -i lo -j ACCEPT
--A awall-INPUT -j ACCEPT
--A awall-INPUT -j awall-logdrop-0
--A awall-INPUT
--A awall-INPUT -j ACCEPT
--A awall-INPUT -j DROP
--A awall-INPUT
--A awall-INPUT -j awall-logaccept-0
--A awall-INPUT -j awall-logdrop-1
--A awall-INPUT -j awall-logpass-0
--A awall-INPUT -j awall-logaccept-1
--A awall-INPUT -j awall-logdrop-2
--A awall-INPUT -j awall-logpass-1
--A awall-INPUT -j awall-logaccept-2
--A awall-INPUT -j awall-logdrop-3
--A awall-INPUT -j awall-logpass-2
--A awall-INPUT -j ACCEPT
--A awall-INPUT -j DROP
--A awall-INPUT
--A awall-INPUT -j awall-logaccept-3
--A awall-INPUT -j awall-logdrop-4
--A awall-INPUT -j awall-logpass-3
-A awall-INPUT -i eth0 -j ACCEPT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -p icmp -j awall-icmp-routing
-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-OUTPUT -o lo -j ACCEPT
--A awall-OUTPUT -j ACCEPT
--A awall-OUTPUT -j awall-logdrop-0
--A awall-OUTPUT
--A awall-OUTPUT -j ACCEPT
--A awall-OUTPUT -j DROP
--A awall-OUTPUT
--A awall-OUTPUT -j awall-logaccept-0
--A awall-OUTPUT -j awall-logdrop-1
--A awall-OUTPUT -j awall-logpass-0
--A awall-OUTPUT -j awall-logaccept-1
--A awall-OUTPUT -j awall-logdrop-2
--A awall-OUTPUT -j awall-logpass-1
--A awall-OUTPUT -j awall-logaccept-2
--A awall-OUTPUT -j awall-logdrop-3
--A awall-OUTPUT -j awall-logpass-2
--A awall-OUTPUT -j ACCEPT
--A awall-OUTPUT -j DROP
--A awall-OUTPUT
--A awall-OUTPUT -j awall-logaccept-3
--A awall-OUTPUT -j awall-logdrop-4
--A awall-OUTPUT -j awall-logpass-3
-A awall-OUTPUT -m limit --limit 12/minute -j ULOG
-A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -156,31 +80,6 @@
-A awall-icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A awall-icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A awall-icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A awall-logaccept-0 -m limit --limit 1/second -j LOG
--A awall-logaccept-0 -j ACCEPT
--A awall-logaccept-1 -j LOG
--A awall-logaccept-1 -j ACCEPT
--A awall-logaccept-2 -j TEE --gateway 10.0.0.1
--A awall-logaccept-2 -j TEE --gateway 10.0.0.2
--A awall-logaccept-2 -j ACCEPT
--A awall-logaccept-3 -m limit --limit 12/minute -j ULOG
--A awall-logaccept-3 -j ACCEPT
--A awall-logdrop-0 -m limit --limit 1/second -j LOG
--A awall-logdrop-0 -j DROP
--A awall-logdrop-1 -m limit --limit 1/second -j LOG
--A awall-logdrop-1 -j DROP
--A awall-logdrop-2 -j LOG
--A awall-logdrop-2 -j DROP
--A awall-logdrop-3 -j TEE --gateway 10.0.0.1
--A awall-logdrop-3 -j TEE --gateway 10.0.0.2
--A awall-logdrop-3 -j DROP
--A awall-logdrop-4 -m limit --limit 12/minute -j ULOG
--A awall-logdrop-4 -j DROP
--A awall-logpass-0 -m limit --limit 1/second -j LOG
--A awall-logpass-1 -j LOG
--A awall-logpass-2 -j TEE --gateway 10.0.0.1
--A awall-logpass-2 -j TEE --gateway 10.0.0.2
--A awall-logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
diff --git a/test/output/dedicated/rules6-save b/test/output/dedicated/rules6-save
index 48e7802..072bfa2 100644
--- a/test/output/dedicated/rules6-save
+++ b/test/output/dedicated/rules6-save
@@ -7,42 +7,10 @@
:awall-INPUT - [0:0]
:awall-OUTPUT - [0:0]
:awall-icmp-routing - [0:0]
-:awall-logaccept-0 - [0:0]
-:awall-logaccept-1 - [0:0]
-:awall-logaccept-2 - [0:0]
-:awall-logaccept-3 - [0:0]
-:awall-logdrop-0 - [0:0]
-:awall-logdrop-1 - [0:0]
-:awall-logdrop-2 - [0:0]
-:awall-logdrop-3 - [0:0]
-:awall-logdrop-4 - [0:0]
-:awall-logpass-0 - [0:0]
-:awall-logpass-1 - [0:0]
-:awall-logpass-2 - [0:0]
-A FORWARD -j awall-FORWARD
-A INPUT -j awall-INPUT
-A OUTPUT -j awall-OUTPUT
-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A awall-FORWARD -j ACCEPT
--A awall-FORWARD -j awall-logdrop-0
--A awall-FORWARD
--A awall-FORWARD -j ACCEPT
--A awall-FORWARD -j DROP
--A awall-FORWARD
--A awall-FORWARD -j awall-logaccept-0
--A awall-FORWARD -j awall-logdrop-1
--A awall-FORWARD -j awall-logpass-0
--A awall-FORWARD -j awall-logaccept-1
--A awall-FORWARD -j awall-logdrop-2
--A awall-FORWARD -j awall-logpass-1
--A awall-FORWARD -j awall-logaccept-2
--A awall-FORWARD -j awall-logdrop-3
--A awall-FORWARD -j awall-logpass-2
--A awall-FORWARD -j ACCEPT
--A awall-FORWARD -j DROP
--A awall-FORWARD
--A awall-FORWARD -j awall-logaccept-3
--A awall-FORWARD -j awall-logdrop-4
-A awall-FORWARD -i eth0 -j ACCEPT
-A awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -74,80 +42,18 @@
-A awall-INPUT -m limit --limit 1/second -j LOG
-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-INPUT -i lo -j ACCEPT
--A awall-INPUT -j ACCEPT
--A awall-INPUT -j awall-logdrop-0
--A awall-INPUT
--A awall-INPUT -j ACCEPT
--A awall-INPUT -j DROP
--A awall-INPUT
--A awall-INPUT -j awall-logaccept-0
--A awall-INPUT -j awall-logdrop-1
--A awall-INPUT -j awall-logpass-0
--A awall-INPUT -j awall-logaccept-1
--A awall-INPUT -j awall-logdrop-2
--A awall-INPUT -j awall-logpass-1
--A awall-INPUT -j awall-logaccept-2
--A awall-INPUT -j awall-logdrop-3
--A awall-INPUT -j awall-logpass-2
--A awall-INPUT -j ACCEPT
--A awall-INPUT -j DROP
--A awall-INPUT
--A awall-INPUT -j awall-logaccept-3
--A awall-INPUT -j awall-logdrop-4
-A awall-INPUT -i eth0 -j ACCEPT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -p icmpv6 -j ACCEPT
-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-OUTPUT -o lo -j ACCEPT
-A awall-OUTPUT -j ACCEPT
--A awall-OUTPUT -j awall-logdrop-0
--A awall-OUTPUT
--A awall-OUTPUT -j ACCEPT
--A awall-OUTPUT -j DROP
--A awall-OUTPUT
--A awall-OUTPUT -j awall-logaccept-0
--A awall-OUTPUT -j awall-logdrop-1
--A awall-OUTPUT -j awall-logpass-0
--A awall-OUTPUT -j awall-logaccept-1
--A awall-OUTPUT -j awall-logdrop-2
--A awall-OUTPUT -j awall-logpass-1
--A awall-OUTPUT -j awall-logaccept-2
--A awall-OUTPUT -j awall-logdrop-3
--A awall-OUTPUT -j awall-logpass-2
--A awall-OUTPUT -j ACCEPT
--A awall-OUTPUT -j DROP
--A awall-OUTPUT
--A awall-OUTPUT -j awall-logaccept-3
--A awall-OUTPUT -j awall-logdrop-4
--A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A awall-OUTPUT -p icmpv6 -j ACCEPT
-A awall-icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A awall-icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A awall-icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A awall-icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A awall-logaccept-0 -m limit --limit 1/second -j LOG
--A awall-logaccept-0 -j ACCEPT
--A awall-logaccept-1 -j LOG
--A awall-logaccept-1 -j TEE --gateway fc00::1
--A awall-logaccept-1 -j ACCEPT
--A awall-logaccept-2 -j TEE --gateway fc00::2
--A awall-logaccept-2 -j ACCEPT
--A awall-logaccept-3 -j ACCEPT
--A awall-logdrop-0 -m limit --limit 1/second -j LOG
--A awall-logdrop-0 -j DROP
--A awall-logdrop-1 -m limit --limit 1/second -j LOG
--A awall-logdrop-1 -j DROP
--A awall-logdrop-2 -j LOG
--A awall-logdrop-2 -j TEE --gateway fc00::1
--A awall-logdrop-2 -j DROP
--A awall-logdrop-3 -j TEE --gateway fc00::2
--A awall-logdrop-3 -j DROP
--A awall-logdrop-4 -j DROP
--A awall-logpass-0 -m limit --limit 1/second -j LOG
--A awall-logpass-1 -j LOG
--A awall-logpass-1 -j TEE --gateway fc00::1
--A awall-logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/filter-dnat/dump b/test/output/filter-dnat/dump
index 9868823..1ba647a 100644
--- a/test/output/filter-dnat/dump
+++ b/test/output/filter-dnat/dump
@@ -12,356 +12,123 @@ Dnat 2 {"in":"B"}
inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-Filter 1 {"dest":"192.168.0.1","dnat":"10.0.0.1","in":"A","service":"smtp"}
-(filter-dnat)
- inet/filter/FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
- inet/filter/INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
- inet/nat/PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1
-
-Filter 2 {"dest":"192.168.0.2","dnat":{"addr":"10.0.0.2","port":8080},"in":"A","service":"http"}
-(filter-dnat)
- inet/filter/FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
- inet/filter/INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
- inet/nat/PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080
-
-Filter 3 {"dnat":{"addr":"10.0.0.3","port":"8022-8033"},"in":"A","service":"ssh"}
-(filter-dnat)
- inet/filter/FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
- inet/filter/INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
- inet/nat/PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033
- inet6/filter/FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
- inet6/filter/INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
-
-Filter 4 {}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 5 {"action":"drop"}
-(log)
- inet/filter/FORWARD -j logdrop-0
- inet/filter/INPUT -j logdrop-0
- inet/filter/OUTPUT -j logdrop-0
- inet/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-0 -j DROP
- inet6/filter/FORWARD -j logdrop-0
- inet6/filter/INPUT -j logdrop-0
- inet6/filter/OUTPUT -j logdrop-0
- inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-0 -j DROP
-
-Filter 6 {"action":"pass"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 7 {"log":false}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 8 {"action":"drop","log":false}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 9 {"action":"pass","log":false}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 10 {"log":true}
-(log)
- inet/filter/FORWARD -j logaccept-0
- inet/filter/INPUT -j logaccept-0
- inet/filter/OUTPUT -j logaccept-0
- inet/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet/filter/logaccept-0 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-0
- inet6/filter/INPUT -j logaccept-0
- inet6/filter/OUTPUT -j logaccept-0
- inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet6/filter/logaccept-0 -j ACCEPT
-
-Filter 11 {"action":"drop","log":true}
-(log)
- inet/filter/FORWARD -j logdrop-1
- inet/filter/INPUT -j logdrop-1
- inet/filter/OUTPUT -j logdrop-1
- inet/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-1 -j DROP
- inet6/filter/FORWARD -j logdrop-1
- inet6/filter/INPUT -j logdrop-1
- inet6/filter/OUTPUT -j logdrop-1
- inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-1 -j DROP
-
-Filter 12 {"action":"pass","log":true}
-(log)
- inet/filter/FORWARD -j logpass-0
- inet/filter/INPUT -j logpass-0
- inet/filter/OUTPUT -j logpass-0
- inet/filter/logpass-0 -m limit --limit 1/second -j LOG
- inet6/filter/FORWARD -j logpass-0
- inet6/filter/INPUT -j logpass-0
- inet6/filter/OUTPUT -j logpass-0
- inet6/filter/logpass-0 -m limit --limit 1/second -j LOG
-
-Filter 13 {"log":"dual"}
-(log)
- inet/filter/FORWARD -j logaccept-1
- inet/filter/INPUT -j logaccept-1
- inet/filter/OUTPUT -j logaccept-1
- inet/filter/logaccept-1 -j LOG
- inet/filter/logaccept-1 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-1
- inet6/filter/INPUT -j logaccept-1
- inet6/filter/OUTPUT -j logaccept-1
- inet6/filter/logaccept-1 -j LOG
- inet6/filter/logaccept-1 -j TEE --gateway fc00::1
- inet6/filter/logaccept-1 -j ACCEPT
-
-Filter 14 {"action":"drop","log":"dual"}
-(log)
- inet/filter/FORWARD -j logdrop-2
- inet/filter/INPUT -j logdrop-2
- inet/filter/OUTPUT -j logdrop-2
- inet/filter/logdrop-2 -j LOG
- inet/filter/logdrop-2 -j DROP
- inet6/filter/FORWARD -j logdrop-2
- inet6/filter/INPUT -j logdrop-2
- inet6/filter/OUTPUT -j logdrop-2
- inet6/filter/logdrop-2 -j LOG
- inet6/filter/logdrop-2 -j TEE --gateway fc00::1
- inet6/filter/logdrop-2 -j DROP
-
-Filter 15 {"action":"pass","log":"dual"}
-(log)
- inet/filter/FORWARD -j logpass-1
- inet/filter/INPUT -j logpass-1
- inet/filter/OUTPUT -j logpass-1
- inet/filter/logpass-1 -j LOG
- inet6/filter/FORWARD -j logpass-1
- inet6/filter/INPUT -j logpass-1
- inet6/filter/OUTPUT -j logpass-1
- inet6/filter/logpass-1 -j LOG
- inet6/filter/logpass-1 -j TEE --gateway fc00::1
-
-Filter 16 {"log":"mirror"}
-(log)
- inet/filter/FORWARD -j logaccept-2
- inet/filter/INPUT -j logaccept-2
- inet/filter/OUTPUT -j logaccept-2
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2
- inet/filter/logaccept-2 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-2
- inet6/filter/INPUT -j logaccept-2
- inet6/filter/OUTPUT -j logaccept-2
- inet6/filter/logaccept-2 -j TEE --gateway fc00::2
- inet6/filter/logaccept-2 -j ACCEPT
-
-Filter 17 {"action":"drop","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logdrop-3
- inet/filter/INPUT -j logdrop-3
- inet/filter/OUTPUT -j logdrop-3
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2
- inet/filter/logdrop-3 -j DROP
- inet6/filter/FORWARD -j logdrop-3
- inet6/filter/INPUT -j logdrop-3
- inet6/filter/OUTPUT -j logdrop-3
- inet6/filter/logdrop-3 -j TEE --gateway fc00::2
- inet6/filter/logdrop-3 -j DROP
-
-Filter 18 {"action":"pass","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logpass-2
- inet/filter/INPUT -j logpass-2
- inet/filter/OUTPUT -j logpass-2
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.1
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.2
- inet6/filter/FORWARD -j logpass-2
- inet6/filter/INPUT -j logpass-2
- inet6/filter/OUTPUT -j logpass-2
- inet6/filter/logpass-2 -j TEE --gateway fc00::2
-
-Filter 19 {"log":"none"}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 20 {"action":"drop","log":"none"}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 21 {"action":"pass","log":"none"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 22 {"log":"ulog"}
-(log)
- inet/filter/FORWARD -j logaccept-3
- inet/filter/INPUT -j logaccept-3
- inet/filter/OUTPUT -j logaccept-3
- inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG
- inet/filter/logaccept-3 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-3
- inet6/filter/INPUT -j logaccept-3
- inet6/filter/OUTPUT -j logaccept-3
- inet6/filter/logaccept-3 -j ACCEPT
-
-Filter 23 {"action":"drop","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logdrop-4
- inet/filter/INPUT -j logdrop-4
- inet/filter/OUTPUT -j logdrop-4
- inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG
- inet/filter/logdrop-4 -j DROP
- inet6/filter/FORWARD -j logdrop-4
- inet6/filter/INPUT -j logdrop-4
- inet6/filter/OUTPUT -j logdrop-4
- inet6/filter/logdrop-4 -j DROP
-
-Filter 24 {"action":"pass","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logpass-3
- inet/filter/INPUT -j logpass-3
- inet/filter/OUTPUT -j logpass-3
- inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG
-
-Filter 25 {"action":"pass","in":"_fw","log":"ulog"}
-(log)
- inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-
-Filter 26 {"in":["_fw","A"]}
-(zone)
- inet/filter/FORWARD -i eth0 -j ACCEPT
- inet/filter/INPUT -i eth0 -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -i eth0 -j ACCEPT
- inet6/filter/INPUT -i eth0 -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 27 {"in":"B","out":"C"}
-(zone)
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+Filter 1 {"dest":"192.168.0.1","dnat":"10.0.0.1","in":"A","service":"smtp"}
+(filter-dnat)
+ inet/filter/FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
+ inet/filter/INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
+ inet/nat/PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1
+
+Filter 2 {"dest":"192.168.0.2","dnat":{"addr":"10.0.0.2","port":8080},"in":"A","service":"http"}
+(filter-dnat)
+ inet/filter/FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
+ inet/filter/INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
+ inet/nat/PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080
+
+Filter 3 {"dnat":{"addr":"10.0.0.3","port":"8022-8033"},"in":"A","service":"ssh"}
+(filter-dnat)
+ inet/filter/FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
+ inet/filter/INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
+ inet/nat/PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033
+ inet6/filter/FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
+ inet6/filter/INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
+
+Filter 4 {"action":"pass","in":"_fw","log":"ulog"}
+(log)
+ inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
+
+Filter 5 {"in":["_fw","A"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -j ACCEPT
+ inet/filter/INPUT -i eth0 -j ACCEPT
+ inet/filter/OUTPUT -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -j ACCEPT
+ inet6/filter/INPUT -i eth0 -j ACCEPT
+ inet6/filter/OUTPUT -j ACCEPT
+
+Filter 6 {"in":"B","out":"C"}
+(zone)
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-Filter 28 {"out":["_fw","B"]}
-(zone)
- inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-
-Filter 29 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
-(zone)
- inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+Filter 7 {"out":["_fw","B"]}
+(zone)
+ inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/INPUT -j ACCEPT
+ inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/INPUT -j ACCEPT
+ inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+
+Filter 8 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
Ipset awall-masquerade {"family":"inet","type":"hash:net"}
@@ -701,44 +468,10 @@ hash:net family inet
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -799,53 +532,11 @@ hash:net family inet
-A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -853,31 +544,6 @@ hash:net family inet
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
@@ -925,40 +591,8 @@ COMMIT
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -991,80 +625,18 @@ COMMIT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/filter-dnat/rules-save b/test/output/filter-dnat/rules-save
index 4ecb0be..30a8278 100644
--- a/test/output/filter-dnat/rules-save
+++ b/test/output/filter-dnat/rules-save
@@ -4,44 +4,10 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -102,53 +68,11 @@
-A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -156,31 +80,6 @@
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
diff --git a/test/output/filter-dnat/rules6-save b/test/output/filter-dnat/rules6-save
index 2dfba33..5542f2a 100644
--- a/test/output/filter-dnat/rules6-save
+++ b/test/output/filter-dnat/rules6-save
@@ -4,40 +4,8 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -70,80 +38,18 @@
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/filter-limit/dump b/test/output/filter-limit/dump
index 1496458..dcd396d 100644
--- a/test/output/filter-limit/dump
+++ b/test/output/filter-limit/dump
@@ -59162,244 +59162,11 @@ Filter 3912 {"update-limit":{"addr":"dest","measure":"fl
inet6/filter/INPUT -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet6/filter/OUTPUT -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
-Filter 3913 {}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 3914 {"action":"drop"}
-(log)
- inet/filter/FORWARD -j logdrop-1650
- inet/filter/INPUT -j logdrop-1650
- inet/filter/OUTPUT -j logdrop-1650
- inet/filter/logdrop-1650 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-1650 -j DROP
- inet6/filter/FORWARD -j logdrop-1650
- inet6/filter/INPUT -j logdrop-1650
- inet6/filter/OUTPUT -j logdrop-1650
- inet6/filter/logdrop-1650 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-1650 -j DROP
-
-Filter 3915 {"action":"pass"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 3916 {"log":false}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 3917 {"action":"drop","log":false}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 3918 {"action":"pass","log":false}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 3919 {"log":true}
-(log)
- inet/filter/FORWARD -j logaccept-66
- inet/filter/INPUT -j logaccept-66
- inet/filter/OUTPUT -j logaccept-66
- inet/filter/logaccept-66 -m limit --limit 1/second -j LOG
- inet/filter/logaccept-66 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-66
- inet6/filter/INPUT -j logaccept-66
- inet6/filter/OUTPUT -j logaccept-66
- inet6/filter/logaccept-66 -m limit --limit 1/second -j LOG
- inet6/filter/logaccept-66 -j ACCEPT
-
-Filter 3920 {"action":"drop","log":true}
-(log)
- inet/filter/FORWARD -j logdrop-1651
- inet/filter/INPUT -j logdrop-1651
- inet/filter/OUTPUT -j logdrop-1651
- inet/filter/logdrop-1651 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-1651 -j DROP
- inet6/filter/FORWARD -j logdrop-1651
- inet6/filter/INPUT -j logdrop-1651
- inet6/filter/OUTPUT -j logdrop-1651
- inet6/filter/logdrop-1651 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-1651 -j DROP
-
-Filter 3921 {"action":"pass","log":true}
-(log)
- inet/filter/FORWARD -j logpass-0
- inet/filter/INPUT -j logpass-0
- inet/filter/OUTPUT -j logpass-0
- inet/filter/logpass-0 -m limit --limit 1/second -j LOG
- inet6/filter/FORWARD -j logpass-0
- inet6/filter/INPUT -j logpass-0
- inet6/filter/OUTPUT -j logpass-0
- inet6/filter/logpass-0 -m limit --limit 1/second -j LOG
-
-Filter 3922 {"log":"dual"}
-(log)
- inet/filter/FORWARD -j logaccept-67
- inet/filter/INPUT -j logaccept-67
- inet/filter/OUTPUT -j logaccept-67
- inet/filter/logaccept-67 -j LOG
- inet/filter/logaccept-67 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-67
- inet6/filter/INPUT -j logaccept-67
- inet6/filter/OUTPUT -j logaccept-67
- inet6/filter/logaccept-67 -j LOG
- inet6/filter/logaccept-67 -j TEE --gateway fc00::1
- inet6/filter/logaccept-67 -j ACCEPT
-
-Filter 3923 {"action":"drop","log":"dual"}
-(log)
- inet/filter/FORWARD -j logdrop-1652
- inet/filter/INPUT -j logdrop-1652
- inet/filter/OUTPUT -j logdrop-1652
- inet/filter/logdrop-1652 -j LOG
- inet/filter/logdrop-1652 -j DROP
- inet6/filter/FORWARD -j logdrop-1652
- inet6/filter/INPUT -j logdrop-1652
- inet6/filter/OUTPUT -j logdrop-1652
- inet6/filter/logdrop-1652 -j LOG
- inet6/filter/logdrop-1652 -j TEE --gateway fc00::1
- inet6/filter/logdrop-1652 -j DROP
-
-Filter 3924 {"action":"pass","log":"dual"}
-(log)
- inet/filter/FORWARD -j logpass-1
- inet/filter/INPUT -j logpass-1
- inet/filter/OUTPUT -j logpass-1
- inet/filter/logpass-1 -j LOG
- inet6/filter/FORWARD -j logpass-1
- inet6/filter/INPUT -j logpass-1
- inet6/filter/OUTPUT -j logpass-1
- inet6/filter/logpass-1 -j LOG
- inet6/filter/logpass-1 -j TEE --gateway fc00::1
-
-Filter 3925 {"log":"mirror"}
-(log)
- inet/filter/FORWARD -j logaccept-68
- inet/filter/INPUT -j logaccept-68
- inet/filter/OUTPUT -j logaccept-68
- inet/filter/logaccept-68 -j TEE --gateway 10.0.0.1
- inet/filter/logaccept-68 -j TEE --gateway 10.0.0.2
- inet/filter/logaccept-68 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-68
- inet6/filter/INPUT -j logaccept-68
- inet6/filter/OUTPUT -j logaccept-68
- inet6/filter/logaccept-68 -j TEE --gateway fc00::2
- inet6/filter/logaccept-68 -j ACCEPT
-
-Filter 3926 {"action":"drop","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logdrop-1653
- inet/filter/INPUT -j logdrop-1653
- inet/filter/OUTPUT -j logdrop-1653
- inet/filter/logdrop-1653 -j TEE --gateway 10.0.0.1
- inet/filter/logdrop-1653 -j TEE --gateway 10.0.0.2
- inet/filter/logdrop-1653 -j DROP
- inet6/filter/FORWARD -j logdrop-1653
- inet6/filter/INPUT -j logdrop-1653
- inet6/filter/OUTPUT -j logdrop-1653
- inet6/filter/logdrop-1653 -j TEE --gateway fc00::2
- inet6/filter/logdrop-1653 -j DROP
-
-Filter 3927 {"action":"pass","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logpass-2
- inet/filter/INPUT -j logpass-2
- inet/filter/OUTPUT -j logpass-2
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.1
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.2
- inet6/filter/FORWARD -j logpass-2
- inet6/filter/INPUT -j logpass-2
- inet6/filter/OUTPUT -j logpass-2
- inet6/filter/logpass-2 -j TEE --gateway fc00::2
-
-Filter 3928 {"log":"none"}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 3929 {"action":"drop","log":"none"}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 3930 {"action":"pass","log":"none"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 3931 {"log":"ulog"}
-(log)
- inet/filter/FORWARD -j logaccept-69
- inet/filter/INPUT -j logaccept-69
- inet/filter/OUTPUT -j logaccept-69
- inet/filter/logaccept-69 -m limit --limit 12/minute -j ULOG
- inet/filter/logaccept-69 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-69
- inet6/filter/INPUT -j logaccept-69
- inet6/filter/OUTPUT -j logaccept-69
- inet6/filter/logaccept-69 -j ACCEPT
-
-Filter 3932 {"action":"drop","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logdrop-1654
- inet/filter/INPUT -j logdrop-1654
- inet/filter/OUTPUT -j logdrop-1654
- inet/filter/logdrop-1654 -m limit --limit 12/minute -j ULOG
- inet/filter/logdrop-1654 -j DROP
- inet6/filter/FORWARD -j logdrop-1654
- inet6/filter/INPUT -j logdrop-1654
- inet6/filter/OUTPUT -j logdrop-1654
- inet6/filter/logdrop-1654 -j DROP
-
-Filter 3933 {"action":"pass","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logpass-3
- inet/filter/INPUT -j logpass-3
- inet/filter/OUTPUT -j logpass-3
- inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG
-
-Filter 3934 {"action":"pass","in":"_fw","log":"ulog"}
+Filter 3913 {"action":"pass","in":"_fw","log":"ulog"}
(log)
inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-Filter 3935 {"in":["_fw","A"]}
+Filter 3914 {"in":["_fw","A"]}
(zone)
inet/filter/FORWARD -i eth0 -j ACCEPT
inet/filter/INPUT -i eth0 -j ACCEPT
@@ -59408,12 +59175,12 @@ Filter 3935 {"in":["_fw","A"]}
inet6/filter/INPUT -i eth0 -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
-Filter 3936 {"in":"B","out":"C"}
+Filter 3915 {"in":"B","out":"C"}
(zone)
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-Filter 3937 {"out":["_fw","B"]}
+Filter 3916 {"out":["_fw","B"]}
(zone)
inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/INPUT -j ACCEPT
@@ -59422,7 +59189,7 @@ Filter 3937 {"out":["_fw","B"]}
inet6/filter/INPUT -j ACCEPT
inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-Filter 3938 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+Filter 3917 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
(zone)
inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
@@ -63638,10 +63405,6 @@ hash:net family inet
:logaccept-63 - [0:0]
:logaccept-64 - [0:0]
:logaccept-65 - [0:0]
-:logaccept-66 - [0:0]
-:logaccept-67 - [0:0]
-:logaccept-68 - [0:0]
-:logaccept-69 - [0:0]
:logaccept-7 - [0:0]
:logaccept-8 - [0:0]
:logaccept-9 - [0:0]
@@ -64709,11 +64472,6 @@ hash:net family inet
:logdrop-1648 - [0:0]
:logdrop-1649 - [0:0]
:logdrop-165 - [0:0]
-:logdrop-1650 - [0:0]
-:logdrop-1651 - [0:0]
-:logdrop-1652 - [0:0]
-:logdrop-1653 - [0:0]
-:logdrop-1654 - [0:0]
:logdrop-166 - [0:0]
:logdrop-167 - [0:0]
:logdrop-168 - [0:0]
@@ -66189,10 +65947,6 @@ hash:net family inet
:logdrop-ntp-97 - [0:0]
:logdrop-ntp-98 - [0:0]
:logdrop-ntp-99 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m recent --name user:B --rdest --mask 255.255.255.255 --set
-A FORWARD -m recent --name user:B --rsource --mask 255.255.255.255 --set
-A FORWARD -j limit-2927
@@ -68664,27 +68418,6 @@ hash:net family inet
-A FORWARD -m recent --name user:D --rsource --mask 255.255.252.0 --set
-A FORWARD -m recent --name user:A --rsource --mask 255.255.255.255 --set
-A FORWARD -m recent --name user:A --rdest --mask 255.255.255.255 --set
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-1650
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-66
--A FORWARD -j logdrop-1651
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-67
--A FORWARD -j logdrop-1652
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-68
--A FORWARD -j logdrop-1653
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-69
--A FORWARD -j logdrop-1654
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -71212,27 +70945,6 @@ hash:net family inet
-A INPUT -m recent --name user:D --rsource --mask 255.255.252.0 --set
-A INPUT -m recent --name user:A --rsource --mask 255.255.255.255 --set
-A INPUT -m recent --name user:A --rdest --mask 255.255.255.255 --set
--A INPUT -j ACCEPT
--A INPUT -j logdrop-1650
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-66
--A INPUT -j logdrop-1651
--A INPUT -j logpass-0
--A INPUT -j logaccept-67
--A INPUT -j logdrop-1652
--A INPUT -j logpass-1
--A INPUT -j logaccept-68
--A INPUT -j logdrop-1653
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-69
--A INPUT -j logdrop-1654
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
@@ -75194,27 +74906,6 @@ hash:net family inet
-A OUTPUT -m recent --name user:D --rsource --mask 255.255.252.0 --set
-A OUTPUT -m recent --name user:A --rsource --mask 255.255.255.255 --set
-A OUTPUT -m recent --name user:A --rdest --mask 255.255.255.255 --set
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-1650
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-66
--A OUTPUT -j logdrop-1651
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-67
--A OUTPUT -j logdrop-1652
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-68
--A OUTPUT -j logdrop-1653
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-69
--A OUTPUT -j logdrop-1654
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -84169,15 +83860,6 @@ hash:net family inet
-A logaccept-64 -j ACCEPT
-A logaccept-65 -m limit --limit 12/minute -j ULOG
-A logaccept-65 -j ACCEPT
--A logaccept-66 -m limit --limit 1/second -j LOG
--A logaccept-66 -j ACCEPT
--A logaccept-67 -j LOG
--A logaccept-67 -j ACCEPT
--A logaccept-68 -j TEE --gateway 10.0.0.1
--A logaccept-68 -j TEE --gateway 10.0.0.2
--A logaccept-68 -j ACCEPT
--A logaccept-69 -m limit --limit 12/minute -j ULOG
--A logaccept-69 -j ACCEPT
-A logaccept-7 -j TEE --gateway 10.0.0.1
-A logaccept-7 -j TEE --gateway 10.0.0.2
-A logaccept-7 -j ACCEPT
@@ -86682,17 +86364,6 @@ hash:net family inet
-A logdrop-165 -j TEE --gateway 10.0.0.1
-A logdrop-165 -j TEE --gateway 10.0.0.2
-A logdrop-165 -j DROP
--A logdrop-1650 -m limit --limit 1/second -j LOG
--A logdrop-1650 -j DROP
--A logdrop-1651 -m limit --limit 1/second -j LOG
--A logdrop-1651 -j DROP
--A logdrop-1652 -j LOG
--A logdrop-1652 -j DROP
--A logdrop-1653 -j TEE --gateway 10.0.0.1
--A logdrop-1653 -j TEE --gateway 10.0.0.2
--A logdrop-1653 -j DROP
--A logdrop-1654 -m limit --limit 12/minute -j ULOG
--A logdrop-1654 -j DROP
-A logdrop-166 -j TEE --gateway 10.0.0.1
-A logdrop-166 -j TEE --gateway 10.0.0.2
-A logdrop-166 -j DROP
@@ -90107,11 +89778,6 @@ hash:net family inet
-A logdrop-ntp-98 -j DROP
-A logdrop-ntp-99 -m limit --limit 1/second -j LOG
-A logdrop-ntp-99 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
@@ -95449,10 +95115,6 @@ COMMIT
:logaccept-63 - [0:0]
:logaccept-64 - [0:0]
:logaccept-65 - [0:0]
-:logaccept-66 - [0:0]
-:logaccept-67 - [0:0]
-:logaccept-68 - [0:0]
-:logaccept-69 - [0:0]
:logaccept-7 - [0:0]
:logaccept-8 - [0:0]
:logaccept-9 - [0:0]
@@ -96520,11 +96182,6 @@ COMMIT
:logdrop-1648 - [0:0]
:logdrop-1649 - [0:0]
:logdrop-165 - [0:0]
-:logdrop-1650 - [0:0]
-:logdrop-1651 - [0:0]
-:logdrop-1652 - [0:0]
-:logdrop-1653 - [0:0]
-:logdrop-1654 - [0:0]
:logdrop-166 - [0:0]
:logdrop-167 - [0:0]
:logdrop-168 - [0:0]
@@ -98000,9 +97657,6 @@ COMMIT
:logdrop-ntp-97 - [0:0]
:logdrop-ntp-98 - [0:0]
:logdrop-ntp-99 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
-A FORWARD -m recent --name user:B --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
-A FORWARD -j limit-2927
@@ -100474,26 +100128,6 @@ COMMIT
-A FORWARD -m recent --name user:D --rsource --mask ffff:ffff:ffff:ffc0:: --set
-A FORWARD -m recent --name user:A --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
-A FORWARD -m recent --name user:A --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-1650
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-66
--A FORWARD -j logdrop-1651
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-67
--A FORWARD -j logdrop-1652
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-68
--A FORWARD -j logdrop-1653
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-69
--A FORWARD -j logdrop-1654
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -102995,26 +102629,6 @@ COMMIT
-A INPUT -m recent --name user:D --rsource --mask ffff:ffff:ffff:ffc0:: --set
-A INPUT -m recent --name user:A --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
-A INPUT -m recent --name user:A --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
--A INPUT -j ACCEPT
--A INPUT -j logdrop-1650
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-66
--A INPUT -j logdrop-1651
--A INPUT -j logpass-0
--A INPUT -j logaccept-67
--A INPUT -j logdrop-1652
--A INPUT -j logpass-1
--A INPUT -j logaccept-68
--A INPUT -j logdrop-1653
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-69
--A INPUT -j logdrop-1654
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
@@ -106977,26 +106591,6 @@ COMMIT
-A OUTPUT -m recent --name user:A --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
-A OUTPUT -m recent --name user:A --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-1650
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-66
--A OUTPUT -j logdrop-1651
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-67
--A OUTPUT -j logdrop-1652
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-68
--A OUTPUT -j logdrop-1653
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-69
--A OUTPUT -j logdrop-1654
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
@@ -114538,14 +114132,6 @@ COMMIT
-A logaccept-64 -j TEE --gateway fc00::2
-A logaccept-64 -j ACCEPT
-A logaccept-65 -j ACCEPT
--A logaccept-66 -m limit --limit 1/second -j LOG
--A logaccept-66 -j ACCEPT
--A logaccept-67 -j LOG
--A logaccept-67 -j TEE --gateway fc00::1
--A logaccept-67 -j ACCEPT
--A logaccept-68 -j TEE --gateway fc00::2
--A logaccept-68 -j ACCEPT
--A logaccept-69 -j ACCEPT
-A logaccept-7 -j TEE --gateway fc00::2
-A logaccept-7 -j ACCEPT
-A logaccept-8 -j ACCEPT
@@ -116296,16 +115882,6 @@ COMMIT
-A logdrop-1649 -j DROP
-A logdrop-165 -j TEE --gateway fc00::2
-A logdrop-165 -j DROP
--A logdrop-1650 -m limit --limit 1/second -j LOG
--A logdrop-1650 -j DROP
--A logdrop-1651 -m limit --limit 1/second -j LOG
--A logdrop-1651 -j DROP
--A logdrop-1652 -j LOG
--A logdrop-1652 -j TEE --gateway fc00::1
--A logdrop-1652 -j DROP
--A logdrop-1653 -j TEE --gateway fc00::2
--A logdrop-1653 -j DROP
--A logdrop-1654 -j DROP
-A logdrop-166 -j TEE --gateway fc00::2
-A logdrop-166 -j DROP
-A logdrop-167 -j TEE --gateway fc00::2
@@ -118806,10 +118382,6 @@ COMMIT
-A logdrop-ntp-98 -j DROP
-A logdrop-ntp-99 -m limit --limit 1/second -j LOG
-A logdrop-ntp-99 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/filter-limit/rules-save b/test/output/filter-limit/rules-save
index f8c1296..059e448 100644
--- a/test/output/filter-limit/rules-save
+++ b/test/output/filter-limit/rules-save
@@ -3811,10 +3811,6 @@
:logaccept-63 - [0:0]
:logaccept-64 - [0:0]
:logaccept-65 - [0:0]
-:logaccept-66 - [0:0]
-:logaccept-67 - [0:0]
-:logaccept-68 - [0:0]
-:logaccept-69 - [0:0]
:logaccept-7 - [0:0]
:logaccept-8 - [0:0]
:logaccept-9 - [0:0]
@@ -4882,11 +4878,6 @@
:logdrop-1648 - [0:0]
:logdrop-1649 - [0:0]
:logdrop-165 - [0:0]
-:logdrop-1650 - [0:0]
-:logdrop-1651 - [0:0]
-:logdrop-1652 - [0:0]
-:logdrop-1653 - [0:0]
-:logdrop-1654 - [0:0]
:logdrop-166 - [0:0]
:logdrop-167 - [0:0]
:logdrop-168 - [0:0]
@@ -6362,10 +6353,6 @@
:logdrop-ntp-97 - [0:0]
:logdrop-ntp-98 - [0:0]
:logdrop-ntp-99 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m recent --name user:B --rdest --mask 255.255.255.255 --set
-A FORWARD -m recent --name user:B --rsource --mask 255.255.255.255 --set
-A FORWARD -j limit-2927
@@ -8837,27 +8824,6 @@
-A FORWARD -m recent --name user:D --rsource --mask 255.255.252.0 --set
-A FORWARD -m recent --name user:A --rsource --mask 255.255.255.255 --set
-A FORWARD -m recent --name user:A --rdest --mask 255.255.255.255 --set
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-1650
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-66
--A FORWARD -j logdrop-1651
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-67
--A FORWARD -j logdrop-1652
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-68
--A FORWARD -j logdrop-1653
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-69
--A FORWARD -j logdrop-1654
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -11385,27 +11351,6 @@
-A INPUT -m recent --name user:D --rsource --mask 255.255.252.0 --set
-A INPUT -m recent --name user:A --rsource --mask 255.255.255.255 --set
-A INPUT -m recent --name user:A --rdest --mask 255.255.255.255 --set
--A INPUT -j ACCEPT
--A INPUT -j logdrop-1650
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-66
--A INPUT -j logdrop-1651
--A INPUT -j logpass-0
--A INPUT -j logaccept-67
--A INPUT -j logdrop-1652
--A INPUT -j logpass-1
--A INPUT -j logaccept-68
--A INPUT -j logdrop-1653
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-69
--A INPUT -j logdrop-1654
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
@@ -15367,27 +15312,6 @@
-A OUTPUT -m recent --name user:D --rsource --mask 255.255.252.0 --set
-A OUTPUT -m recent --name user:A --rsource --mask 255.255.255.255 --set
-A OUTPUT -m recent --name user:A --rdest --mask 255.255.255.255 --set
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-1650
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-66
--A OUTPUT -j logdrop-1651
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-67
--A OUTPUT -j logdrop-1652
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-68
--A OUTPUT -j logdrop-1653
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-69
--A OUTPUT -j logdrop-1654
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -24342,15 +24266,6 @@
-A logaccept-64 -j ACCEPT
-A logaccept-65 -m limit --limit 12/minute -j ULOG
-A logaccept-65 -j ACCEPT
--A logaccept-66 -m limit --limit 1/second -j LOG
--A logaccept-66 -j ACCEPT
--A logaccept-67 -j LOG
--A logaccept-67 -j ACCEPT
--A logaccept-68 -j TEE --gateway 10.0.0.1
--A logaccept-68 -j TEE --gateway 10.0.0.2
--A logaccept-68 -j ACCEPT
--A logaccept-69 -m limit --limit 12/minute -j ULOG
--A logaccept-69 -j ACCEPT
-A logaccept-7 -j TEE --gateway 10.0.0.1
-A logaccept-7 -j TEE --gateway 10.0.0.2
-A logaccept-7 -j ACCEPT
@@ -26855,17 +26770,6 @@
-A logdrop-165 -j TEE --gateway 10.0.0.1
-A logdrop-165 -j TEE --gateway 10.0.0.2
-A logdrop-165 -j DROP
--A logdrop-1650 -m limit --limit 1/second -j LOG
--A logdrop-1650 -j DROP
--A logdrop-1651 -m limit --limit 1/second -j LOG
--A logdrop-1651 -j DROP
--A logdrop-1652 -j LOG
--A logdrop-1652 -j DROP
--A logdrop-1653 -j TEE --gateway 10.0.0.1
--A logdrop-1653 -j TEE --gateway 10.0.0.2
--A logdrop-1653 -j DROP
--A logdrop-1654 -m limit --limit 12/minute -j ULOG
--A logdrop-1654 -j DROP
-A logdrop-166 -j TEE --gateway 10.0.0.1
-A logdrop-166 -j TEE --gateway 10.0.0.2
-A logdrop-166 -j DROP
@@ -30280,11 +30184,6 @@
-A logdrop-ntp-98 -j DROP
-A logdrop-ntp-99 -m limit --limit 1/second -j LOG
-A logdrop-ntp-99 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
diff --git a/test/output/filter-limit/rules6-save b/test/output/filter-limit/rules6-save
index 9c55c12..d095677 100644
--- a/test/output/filter-limit/rules6-save
+++ b/test/output/filter-limit/rules6-save
@@ -3811,10 +3811,6 @@
:logaccept-63 - [0:0]
:logaccept-64 - [0:0]
:logaccept-65 - [0:0]
-:logaccept-66 - [0:0]
-:logaccept-67 - [0:0]
-:logaccept-68 - [0:0]
-:logaccept-69 - [0:0]
:logaccept-7 - [0:0]
:logaccept-8 - [0:0]
:logaccept-9 - [0:0]
@@ -4882,11 +4878,6 @@
:logdrop-1648 - [0:0]
:logdrop-1649 - [0:0]
:logdrop-165 - [0:0]
-:logdrop-1650 - [0:0]
-:logdrop-1651 - [0:0]
-:logdrop-1652 - [0:0]
-:logdrop-1653 - [0:0]
-:logdrop-1654 - [0:0]
:logdrop-166 - [0:0]
:logdrop-167 - [0:0]
:logdrop-168 - [0:0]
@@ -6362,9 +6353,6 @@
:logdrop-ntp-97 - [0:0]
:logdrop-ntp-98 - [0:0]
:logdrop-ntp-99 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
-A FORWARD -m recent --name user:B --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
-A FORWARD -j limit-2927
@@ -8836,26 +8824,6 @@
-A FORWARD -m recent --name user:D --rsource --mask ffff:ffff:ffff:ffc0:: --set
-A FORWARD -m recent --name user:A --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
-A FORWARD -m recent --name user:A --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-1650
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-66
--A FORWARD -j logdrop-1651
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-67
--A FORWARD -j logdrop-1652
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-68
--A FORWARD -j logdrop-1653
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-69
--A FORWARD -j logdrop-1654
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -11357,26 +11325,6 @@
-A INPUT -m recent --name user:D --rsource --mask ffff:ffff:ffff:ffc0:: --set
-A INPUT -m recent --name user:A --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
-A INPUT -m recent --name user:A --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
--A INPUT -j ACCEPT
--A INPUT -j logdrop-1650
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-66
--A INPUT -j logdrop-1651
--A INPUT -j logpass-0
--A INPUT -j logaccept-67
--A INPUT -j logdrop-1652
--A INPUT -j logpass-1
--A INPUT -j logaccept-68
--A INPUT -j logdrop-1653
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-69
--A INPUT -j logdrop-1654
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
@@ -15339,26 +15287,6 @@
-A OUTPUT -m recent --name user:A --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
-A OUTPUT -m recent --name user:A --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-1650
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-66
--A OUTPUT -j logdrop-1651
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-67
--A OUTPUT -j logdrop-1652
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-68
--A OUTPUT -j logdrop-1653
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-69
--A OUTPUT -j logdrop-1654
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
@@ -22900,14 +22828,6 @@
-A logaccept-64 -j TEE --gateway fc00::2
-A logaccept-64 -j ACCEPT
-A logaccept-65 -j ACCEPT
--A logaccept-66 -m limit --limit 1/second -j LOG
--A logaccept-66 -j ACCEPT
--A logaccept-67 -j LOG
--A logaccept-67 -j TEE --gateway fc00::1
--A logaccept-67 -j ACCEPT
--A logaccept-68 -j TEE --gateway fc00::2
--A logaccept-68 -j ACCEPT
--A logaccept-69 -j ACCEPT
-A logaccept-7 -j TEE --gateway fc00::2
-A logaccept-7 -j ACCEPT
-A logaccept-8 -j ACCEPT
@@ -24658,16 +24578,6 @@
-A logdrop-1649 -j DROP
-A logdrop-165 -j TEE --gateway fc00::2
-A logdrop-165 -j DROP
--A logdrop-1650 -m limit --limit 1/second -j LOG
--A logdrop-1650 -j DROP
--A logdrop-1651 -m limit --limit 1/second -j LOG
--A logdrop-1651 -j DROP
--A logdrop-1652 -j LOG
--A logdrop-1652 -j TEE --gateway fc00::1
--A logdrop-1652 -j DROP
--A logdrop-1653 -j TEE --gateway fc00::2
--A logdrop-1653 -j DROP
--A logdrop-1654 -j DROP
-A logdrop-166 -j TEE --gateway fc00::2
-A logdrop-166 -j DROP
-A logdrop-167 -j TEE --gateway fc00::2
@@ -27168,10 +27078,6 @@
-A logdrop-ntp-98 -j DROP
-A logdrop-ntp-99 -m limit --limit 1/second -j LOG
-A logdrop-ntp-99 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/filter-log/dump b/test/output/filter-log/dump
new file mode 100644
index 0000000..1f1e585
--- /dev/null
+++ b/test/output/filter-log/dump
@@ -0,0 +1,1056 @@
+Custom foo [{"family":"inet6","match":"-m hl --hl-lt 7","target":"REJECT --reject-with icmpv6-no-route"},{"target":"LED --led-trigger-id foo"}]
+(custom-chain)
+
+
+Dnat 1 {"in":["_fw","A"]}
+(zone)
+ inet/nat/OUTPUT -j REDIRECT
+ inet/nat/PREROUTING -i eth0 -j REDIRECT
+
+Dnat 2 {"in":"B"}
+(zone)
+ inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
+
+
+Filter 1 {}
+(filter-log)
+ inet/filter/FORWARD -j ACCEPT
+ inet/filter/INPUT -j ACCEPT
+ inet/filter/OUTPUT -j ACCEPT
+ inet6/filter/FORWARD -j ACCEPT
+ inet6/filter/INPUT -j ACCEPT
+ inet6/filter/OUTPUT -j ACCEPT
+
+Filter 2 {"action":"drop"}
+(filter-log)
+ inet/filter/FORWARD -j logdrop-0
+ inet/filter/INPUT -j logdrop-0
+ inet/filter/OUTPUT -j logdrop-0
+ inet/filter/logdrop-0 -m limit --limit 1/second -j LOG
+ inet/filter/logdrop-0 -j DROP
+ inet6/filter/FORWARD -j logdrop-0
+ inet6/filter/INPUT -j logdrop-0
+ inet6/filter/OUTPUT -j logdrop-0
+ inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG
+ inet6/filter/logdrop-0 -j DROP
+
+Filter 3 {"action":"pass"}
+(filter-log)
+ inet/filter/FORWARD
+ inet/filter/INPUT
+ inet/filter/OUTPUT
+ inet6/filter/FORWARD
+ inet6/filter/INPUT
+ inet6/filter/OUTPUT
+
+Filter 4 {"log":false}
+(filter-log)
+ inet/filter/FORWARD -j ACCEPT
+ inet/filter/INPUT -j ACCEPT
+ inet/filter/OUTPUT -j ACCEPT
+ inet6/filter/FORWARD -j ACCEPT
+ inet6/filter/INPUT -j ACCEPT
+ inet6/filter/OUTPUT -j ACCEPT
+
+Filter 5 {"action":"drop","log":false}
+(filter-log)
+ inet/filter/FORWARD -j DROP
+ inet/filter/INPUT -j DROP
+ inet/filter/OUTPUT -j DROP
+ inet6/filter/FORWARD -j DROP
+ inet6/filter/INPUT -j DROP
+ inet6/filter/OUTPUT -j DROP
+
+Filter 6 {"action":"pass","log":false}
+(filter-log)
+ inet/filter/FORWARD
+ inet/filter/INPUT
+ inet/filter/OUTPUT
+ inet6/filter/FORWARD
+ inet6/filter/INPUT
+ inet6/filter/OUTPUT
+
+Filter 7 {"log":true}
+(filter-log)
+ inet/filter/FORWARD -j logaccept-0
+ inet/filter/INPUT -j logaccept-0
+ inet/filter/OUTPUT -j logaccept-0
+ inet/filter/logaccept-0 -m limit --limit 1/second -j LOG
+ inet/filter/logaccept-0 -j ACCEPT
+ inet6/filter/FORWARD -j logaccept-0
+ inet6/filter/INPUT -j logaccept-0
+ inet6/filter/OUTPUT -j logaccept-0
+ inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG
+ inet6/filter/logaccept-0 -j ACCEPT
+
+Filter 8 {"action":"drop","log":true}
+(filter-log)
+ inet/filter/FORWARD -j logdrop-1
+ inet/filter/INPUT -j logdrop-1
+ inet/filter/OUTPUT -j logdrop-1
+ inet/filter/logdrop-1 -m limit --limit 1/second -j LOG
+ inet/filter/logdrop-1 -j DROP
+ inet6/filter/FORWARD -j logdrop-1
+ inet6/filter/INPUT -j logdrop-1
+ inet6/filter/OUTPUT -j logdrop-1
+ inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG
+ inet6/filter/logdrop-1 -j DROP
+
+Filter 9 {"action":"pass","log":true}
+(filter-log)
+ inet/filter/FORWARD -j logpass-0
+ inet/filter/INPUT -j logpass-0
+ inet/filter/OUTPUT -j logpass-0
+ inet/filter/logpass-0 -m limit --limit 1/second -j LOG
+ inet6/filter/FORWARD -j logpass-0
+ inet6/filter/INPUT -j logpass-0
+ inet6/filter/OUTPUT -j logpass-0
+ inet6/filter/logpass-0 -m limit --limit 1/second -j LOG
+
+Filter 10 {"log":"dual"}
+(filter-log)
+ inet/filter/FORWARD -j logaccept-1
+ inet/filter/INPUT -j logaccept-1
+ inet/filter/OUTPUT -j logaccept-1
+ inet/filter/logaccept-1 -j LOG
+ inet/filter/logaccept-1 -j ACCEPT
+ inet6/filter/FORWARD -j logaccept-1
+ inet6/filter/INPUT -j logaccept-1
+ inet6/filter/OUTPUT -j logaccept-1
+ inet6/filter/logaccept-1 -j LOG
+ inet6/filter/logaccept-1 -j TEE --gateway fc00::1
+ inet6/filter/logaccept-1 -j ACCEPT
+
+Filter 11 {"action":"drop","log":"dual"}
+(filter-log)
+ inet/filter/FORWARD -j logdrop-2
+ inet/filter/INPUT -j logdrop-2
+ inet/filter/OUTPUT -j logdrop-2
+ inet/filter/logdrop-2 -j LOG
+ inet/filter/logdrop-2 -j DROP
+ inet6/filter/FORWARD -j logdrop-2
+ inet6/filter/INPUT -j logdrop-2
+ inet6/filter/OUTPUT -j logdrop-2
+ inet6/filter/logdrop-2 -j LOG
+ inet6/filter/logdrop-2 -j TEE --gateway fc00::1
+ inet6/filter/logdrop-2 -j DROP
+
+Filter 12 {"action":"pass","log":"dual"}
+(filter-log)
+ inet/filter/FORWARD -j logpass-1
+ inet/filter/INPUT -j logpass-1
+ inet/filter/OUTPUT -j logpass-1
+ inet/filter/logpass-1 -j LOG
+ inet6/filter/FORWARD -j logpass-1
+ inet6/filter/INPUT -j logpass-1
+ inet6/filter/OUTPUT -j logpass-1
+ inet6/filter/logpass-1 -j LOG
+ inet6/filter/logpass-1 -j TEE --gateway fc00::1
+
+Filter 13 {"log":"mirror"}
+(filter-log)
+ inet/filter/FORWARD -j logaccept-2
+ inet/filter/INPUT -j logaccept-2
+ inet/filter/OUTPUT -j logaccept-2
+ inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1
+ inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2
+ inet/filter/logaccept-2 -j ACCEPT
+ inet6/filter/FORWARD -j logaccept-2
+ inet6/filter/INPUT -j logaccept-2
+ inet6/filter/OUTPUT -j logaccept-2
+ inet6/filter/logaccept-2 -j TEE --gateway fc00::2
+ inet6/filter/logaccept-2 -j ACCEPT
+
+Filter 14 {"action":"drop","log":"mirror"}
+(filter-log)
+ inet/filter/FORWARD -j logdrop-3
+ inet/filter/INPUT -j logdrop-3
+ inet/filter/OUTPUT -j logdrop-3
+ inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1
+ inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2
+ inet/filter/logdrop-3 -j DROP
+ inet6/filter/FORWARD -j logdrop-3
+ inet6/filter/INPUT -j logdrop-3
+ inet6/filter/OUTPUT -j logdrop-3
+ inet6/filter/logdrop-3 -j TEE --gateway fc00::2
+ inet6/filter/logdrop-3 -j DROP
+
+Filter 15 {"action":"pass","log":"mirror"}
+(filter-log)
+ inet/filter/FORWARD -j logpass-2
+ inet/filter/INPUT -j logpass-2
+ inet/filter/OUTPUT -j logpass-2
+ inet/filter/logpass-2 -j TEE --gateway 10.0.0.1
+ inet/filter/logpass-2 -j TEE --gateway 10.0.0.2
+ inet6/filter/FORWARD -j logpass-2
+ inet6/filter/INPUT -j logpass-2
+ inet6/filter/OUTPUT -j logpass-2
+ inet6/filter/logpass-2 -j TEE --gateway fc00::2
+
+Filter 16 {"log":"none"}
+(filter-log)
+ inet/filter/FORWARD -j ACCEPT
+ inet/filter/INPUT -j ACCEPT
+ inet/filter/OUTPUT -j ACCEPT
+ inet6/filter/FORWARD -j ACCEPT
+ inet6/filter/INPUT -j ACCEPT
+ inet6/filter/OUTPUT -j ACCEPT
+
+Filter 17 {"action":"drop","log":"none"}
+(filter-log)
+ inet/filter/FORWARD -j DROP
+ inet/filter/INPUT -j DROP
+ inet/filter/OUTPUT -j DROP
+ inet6/filter/FORWARD -j DROP
+ inet6/filter/INPUT -j DROP
+ inet6/filter/OUTPUT -j DROP
+
+Filter 18 {"action":"pass","log":"none"}
+(filter-log)
+ inet/filter/FORWARD
+ inet/filter/INPUT
+ inet/filter/OUTPUT
+ inet6/filter/FORWARD
+ inet6/filter/INPUT
+ inet6/filter/OUTPUT
+
+Filter 19 {"log":"ulog"}
+(filter-log)
+ inet/filter/FORWARD -j logaccept-3
+ inet/filter/INPUT -j logaccept-3
+ inet/filter/OUTPUT -j logaccept-3
+ inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG
+ inet/filter/logaccept-3 -j ACCEPT
+ inet6/filter/FORWARD -j logaccept-3
+ inet6/filter/INPUT -j logaccept-3
+ inet6/filter/OUTPUT -j logaccept-3
+ inet6/filter/logaccept-3 -j ACCEPT
+
+Filter 20 {"action":"drop","log":"ulog"}
+(filter-log)
+ inet/filter/FORWARD -j logdrop-4
+ inet/filter/INPUT -j logdrop-4
+ inet/filter/OUTPUT -j logdrop-4
+ inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG
+ inet/filter/logdrop-4 -j DROP
+ inet6/filter/FORWARD -j logdrop-4
+ inet6/filter/INPUT -j logdrop-4
+ inet6/filter/OUTPUT -j logdrop-4
+ inet6/filter/logdrop-4 -j DROP
+
+Filter 21 {"action":"pass","log":"ulog"}
+(filter-log)
+ inet/filter/FORWARD -j logpass-3
+ inet/filter/INPUT -j logpass-3
+ inet/filter/OUTPUT -j logpass-3
+ inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG
+
+Filter 22 {"action":"pass","in":"_fw","log":"ulog"}
+(log)
+ inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
+
+Filter 23 {"in":["_fw","A"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -j ACCEPT
+ inet/filter/INPUT -i eth0 -j ACCEPT
+ inet/filter/OUTPUT -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -j ACCEPT
+ inet6/filter/INPUT -i eth0 -j ACCEPT
+ inet6/filter/OUTPUT -j ACCEPT
+
+Filter 24 {"in":"B","out":"C"}
+(zone)
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+
+Filter 25 {"out":["_fw","B"]}
+(zone)
+ inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/INPUT -j ACCEPT
+ inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/INPUT -j ACCEPT
+ inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+
+Filter 26 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+
+
+Ipset awall-masquerade {"family":"inet","type":"hash:net"}
+(masquerade)
+
+
+Limit B true
+(limit)
+
+Limit C 7
+(limit)
+
+Limit D {"inet":22,"inet6":58}
+(limit)
+
+
+Log _default {"limit":1}
+(defaults)
+
+Log dual {"mirror":"fc00::1","mode":"log"}
+(log)
+
+Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
+(log)
+
+Log nflog {"group":1,"mode":"nflog","range":128}
+(log)
+
+Log none {"mode":"none"}
+(log)
+
+Log ulog {"limit":{"interval":5},"mode":"ulog"}
+(log)
+
+
+Mark 1 {"in":["_fw","A"],"mark":1}
+(zone)
+ inet/mangle/OUTPUT -j MARK --set-mark 1
+ inet/mangle/PREROUTING -i eth0 -j MARK --set-mark 1
+ inet6/mangle/OUTPUT -j MARK --set-mark 1
+ inet6/mangle/PREROUTING -i eth0 -j MARK --set-mark 1
+
+Mark 2 {"in":"B","mark":2,"out":"C"}
+(zone)
+ inet/mangle/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 2
+ inet/mangle/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 2
+
+Mark 3 {"mark":3,"out":["_fw","B"]}
+(zone)
+ inet/mangle/INPUT -j MARK --set-mark 3
+ inet/mangle/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 3
+ inet6/mangle/INPUT -j MARK --set-mark 3
+ inet6/mangle/POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 3
+
+
+No-track 1 {"in":["_fw","A"]}
+(zone)
+ inet/raw/OUTPUT -j CT --notrack
+ inet/raw/PREROUTING -i eth0 -j CT --notrack
+ inet6/raw/OUTPUT -j CT --notrack
+ inet6/raw/PREROUTING -i eth0 -j CT --notrack
+
+No-track 2 {"in":"B"}
+(zone)
+ inet/raw/PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
+ inet6/raw/PREROUTING -i eth1 -s fc00::/7 -j CT --notrack
+
+No-track 3 {"out":"_fw"}
+(zone)
+ inet/raw/PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
+ inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
+
+
+Packet-log 1 {"out":"_fw"}
+(log)
+ inet/filter/INPUT -m limit --limit 1/second -j LOG
+ inet6/filter/INPUT -m limit --limit 1/second -j LOG
+
+Packet-log 2 {"log":"mirror","out":"_fw"}
+(log)
+ inet/filter/INPUT -j TEE --gateway 10.0.0.1
+ inet/filter/INPUT -j TEE --gateway 10.0.0.2
+ inet6/filter/INPUT -j TEE --gateway fc00::2
+
+Packet-log 3 {"log":"nflog","out":"_fw"}
+(log)
+ inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
+ inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
+
+Packet-log 4 {"log":"ulog","out":"_fw"}
+(log)
+ inet/filter/INPUT -m limit --limit 12/minute -j ULOG
+
+
+Service babel {"port":6697,"proto":"tcp"}
+(services)
+
+Service bacula-dir {"port":9101,"proto":"tcp"}
+(services)
+
+Service bacula-fd {"port":9102,"proto":"tcp"}
+(services)
+
+Service bacula-sd {"port":9103,"proto":"tcp"}
+(services)
+
+Service bgp {"port":179,"proto":"tcp"}
+(services)
+
+Service dhcp {"family":"inet","port":[67,68],"proto":"udp"}
+(services)
+
+Service discard [{"port":9,"proto":"tcp"},{"port":9,"proto":"udp"}]
+(services)
+
+Service dns [{"port":53,"proto":"tcp"},{"port":53,"proto":"udp"}]
+(services)
+
+Service epmap [{"port":135,"proto":"tcp"},{"port":135,"proto":"udp"}]
+(services)
+
+Service ftp {"ct-helper":"ftp","port":21,"proto":"tcp"}
+(services)
+
+Service gre {"proto":"gre"}
+(services)
+
+Service hp-pdl {"port":9100,"proto":"tcp"}
+(services)
+
+Service http {"port":80,"proto":"tcp"}
+(services)
+
+Service http-alt {"port":8080,"proto":"tcp"}
+(services)
+
+Service https {"port":443,"proto":"tcp"}
+(services)
+
+Service icmp {"proto":"icmp"}
+(services)
+
+Service igmp {"proto":"igmp"}
+(services)
+
+Service imap {"port":143,"proto":"tcp"}
+(services)
+
+Service imaps {"port":993,"proto":"tcp"}
+(services)
+
+Service ipsec [{"proto":"esp"},{"port":[500,4500],"proto":"udp"}]
+(services)
+
+Service irc {"ct-helper":"irc","port":6667,"proto":"tcp"}
+(services)
+
+Service kerberos [{"port":88,"proto":"tcp"},{"port":88,"proto":"udp"}]
+(services)
+
+Service kpasswd [{"port":464,"proto":"tcp"},{"port":464,"proto":"udp"}]
+(services)
+
+Service l2tp {"port":1701,"proto":"udp"}
+(services)
+
+Service ldap [{"port":389,"proto":"tcp"},{"port":389,"proto":"udp"}]
+(services)
+
+Service ldaps [{"port":636,"proto":"tcp"},{"port":636,"proto":"udp"}]
+(services)
+
+Service microsoft-ds [{"port":445,"proto":"tcp"},{"port":445,"proto":"udp"}]
+(services)
+
+Service mqtt {"port":1883,"proto":"tcp"}
+(services)
+
+Service mqtt-sn {"port":1883,"proto":"udp"}
+(services)
+
+Service mqtt-ws {"port":8083,"proto":"tcp"}
+(services)
+
+Service ms-sql-m {"port":1434,"proto":"tcp"}
+(services)
+
+Service ms-sql-s {"port":1433,"proto":"tcp"}
+(services)
+
+Service msft-gc [{"port":3268,"proto":"tcp"},{"port":3268,"proto":"udp"}]
+(services)
+
+Service msft-gc-ssl [{"port":3269,"proto":"tcp"},{"port":3269,"proto":"udp"}]
+(services)
+
+Service netbios-ds [{"port":138,"proto":"tcp"},{"port":138,"proto":"udp"}]
+(services)
+
+Service netbios-ns [{"family":"inet","port":137,"proto":"tcp"},{"ct-helper":"netbios-ns","family":"inet","port":137,"proto":"udp"}]
+(services)
+
+Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
+(services)
+
+Service ntp {"port":123,"proto":"udp"}
+(services)
+
+Service openvpn {"port":1194,"proto":"udp"}
+(services)
+
+Service ospf {"proto":"ospf"}
+(services)
+
+Service pgsql {"port":5432,"proto":"tcp"}
+(services)
+
+Service ping [{"proto":"icmp","reply-type":0,"type":8},{"proto":"icmpv6","reply-type":129,"type":128}]
+(services)
+
+Service pop3 {"port":110,"proto":"tcp"}
+(services)
+
+Service pop3s {"port":995,"proto":"tcp"}
+(services)
+
+Service radius [{"port":1812,"proto":"tcp"},{"port":1812,"proto":"udp"}]
+(services)
+
+Service radius-acct [{"port":1813,"proto":"tcp"},{"port":1813,"proto":"udp"}]
+(services)
+
+Service rdp {"port":3389,"proto":"tcp"}
+(services)
+
+Service rsync {"port":873,"proto":"tcp"}
+(services)
+
+Service rtmp {"port":1935,"proto":"tcp"}
+(services)
+
+Service rtsp {"port":554,"proto":"tcp"}
+(services)
+
+Service secure-mqtt {"port":8883,"proto":"tcp"}
+(services)
+
+Service sieve {"port":4190,"proto":"tcp"}
+(services)
+
+Service sip [{"ct-helper":"sip","port":5060,"proto":"tcp"},{"ct-helper":"sip","port":5060,"proto":"udp"}]
+(services)
+
+Service sip-tls [{"port":5061,"proto":"tcp"},{"port":5061,"proto":"udp"}]
+(services)
+
+Service smtp {"port":25,"proto":"tcp"}
+(services)
+
+Service snmp {"port":161,"proto":"udp"}
+(services)
+
+Service snmp-trap {"port":162,"proto":"udp"}
+(services)
+
+Service ssh {"port":22,"proto":"tcp"}
+(services)
+
+Service submission {"port":587,"proto":"tcp"}
+(services)
+
+Service syslog {"port":514,"proto":"udp"}
+(services)
+
+Service telnet {"port":23,"proto":"tcp"}
+(services)
+
+Service teredo {"port":3544,"proto":"udp"}
+(services)
+
+Service tftp {"port":69,"proto":"udp"}
+(services)
+
+Service tinc [{"port":655,"proto":"tcp"},{"port":655,"proto":"udp"}]
+(services)
+
+Service vnc {"port":5900,"proto":"tcp"}
+(services)
+
+Service zabbix-agent {"port":10050,"proto":"tcp"}
+(services)
+
+Service zabbix-trapper {"port":10051,"proto":"tcp"}
+(services)
+
+
+Snat 1 {"out":"A"}
+(zone)
+ inet/nat/POSTROUTING -o eth0 -j MASQUERADE
+
+Snat 2 {"out":["_fw","B"],"to-addr":"10.1.2.3"}
+(zone)
+ inet/nat/INPUT -j SNAT --to-source 10.1.2.3
+ inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j SNAT --to-source 10.1.2.3
+
+
+Variable awall_dedicated_chains false
+(defaults)
+
+Variable awall_tproxy_mark 1
+(defaults)
+
+
+Zone A {"iface":"eth0"}
+(zone)
+
+Zone B {"addr":["10.0.0.0\/12","fc00::\/7"],"iface":"eth1"}
+(zone)
+
+Zone C {"addr":"10.1.0.0\/12","iface":["eth2","eth3"]}
+(zone)
+
+Zone D {"iface":["eth4","eth5"],"route-back":true}
+(zone)
+
+Zone E {"ipsec":true}
+(zone)
+
+
+# ipset awall-masquerade
+hash:net family inet
+
+
+# rules-save generated by awall
+*filter
+:FORWARD DROP [0:0]
+:INPUT DROP [0:0]
+:OUTPUT DROP [0:0]
+:icmp-routing - [0:0]
+:logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
+:logaccept-2 - [0:0]
+:logaccept-3 - [0:0]
+:logdrop-0 - [0:0]
+:logdrop-1 - [0:0]
+:logdrop-2 - [0:0]
+:logdrop-3 - [0:0]
+:logdrop-4 - [0:0]
+:logpass-0 - [0:0]
+:logpass-1 - [0:0]
+:logpass-2 - [0:0]
+:logpass-3 - [0:0]
+-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A FORWARD -j ACCEPT
+-A FORWARD -j logdrop-0
+-A FORWARD
+-A FORWARD -j ACCEPT
+-A FORWARD -j DROP
+-A FORWARD
+-A FORWARD -j logaccept-0
+-A FORWARD -j logdrop-1
+-A FORWARD -j logpass-0
+-A FORWARD -j logaccept-1
+-A FORWARD -j logdrop-2
+-A FORWARD -j logpass-1
+-A FORWARD -j logaccept-2
+-A FORWARD -j logdrop-3
+-A FORWARD -j logpass-2
+-A FORWARD -j ACCEPT
+-A FORWARD -j DROP
+-A FORWARD
+-A FORWARD -j logaccept-3
+-A FORWARD -j logdrop-4
+-A FORWARD -j logpass-3
+-A FORWARD -i eth0 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth4 -j ACCEPT
+-A FORWARD -i eth0 -o eth5 -j ACCEPT
+-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth4 -o eth0 -j ACCEPT
+-A FORWARD -i eth5 -o eth0 -j ACCEPT
+-A FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth4 -o eth4 -j ACCEPT
+-A FORWARD -i eth4 -o eth5 -j ACCEPT
+-A FORWARD -i eth5 -o eth4 -j ACCEPT
+-A FORWARD -i eth5 -o eth5 -j ACCEPT
+-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -p icmp -j icmp-routing
+-A INPUT -m limit --limit 12/minute -j ULOG
+-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
+-A INPUT -j TEE --gateway 10.0.0.2
+-A INPUT -j TEE --gateway 10.0.0.1
+-A INPUT -m limit --limit 1/second -j LOG
+-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -j logdrop-0
+-A INPUT
+-A INPUT -j ACCEPT
+-A INPUT -j DROP
+-A INPUT
+-A INPUT -j logaccept-0
+-A INPUT -j logdrop-1
+-A INPUT -j logpass-0
+-A INPUT -j logaccept-1
+-A INPUT -j logdrop-2
+-A INPUT -j logpass-1
+-A INPUT -j logaccept-2
+-A INPUT -j logdrop-3
+-A INPUT -j logpass-2
+-A INPUT -j ACCEPT
+-A INPUT -j DROP
+-A INPUT
+-A INPUT -j logaccept-3
+-A INPUT -j logdrop-4
+-A INPUT -j logpass-3
+-A INPUT -i eth0 -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -p icmp -j icmp-routing
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logdrop-0
+-A OUTPUT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j DROP
+-A OUTPUT
+-A OUTPUT -j logaccept-0
+-A OUTPUT -j logdrop-1
+-A OUTPUT -j logpass-0
+-A OUTPUT -j logaccept-1
+-A OUTPUT -j logdrop-2
+-A OUTPUT -j logpass-1
+-A OUTPUT -j logaccept-2
+-A OUTPUT -j logdrop-3
+-A OUTPUT -j logpass-2
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j DROP
+-A OUTPUT
+-A OUTPUT -j logaccept-3
+-A OUTPUT -j logdrop-4
+-A OUTPUT -j logpass-3
+-A OUTPUT -m limit --limit 12/minute -j ULOG
+-A OUTPUT -j ACCEPT
+-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A OUTPUT -p icmp -j icmp-routing
+-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
+-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
+-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
+-A logaccept-0 -m limit --limit 1/second -j LOG
+-A logaccept-0 -j ACCEPT
+-A logaccept-1 -j LOG
+-A logaccept-1 -j ACCEPT
+-A logaccept-2 -j TEE --gateway 10.0.0.1
+-A logaccept-2 -j TEE --gateway 10.0.0.2
+-A logaccept-2 -j ACCEPT
+-A logaccept-3 -m limit --limit 12/minute -j ULOG
+-A logaccept-3 -j ACCEPT
+-A logdrop-0 -m limit --limit 1/second -j LOG
+-A logdrop-0 -j DROP
+-A logdrop-1 -m limit --limit 1/second -j LOG
+-A logdrop-1 -j DROP
+-A logdrop-2 -j LOG
+-A logdrop-2 -j DROP
+-A logdrop-3 -j TEE --gateway 10.0.0.1
+-A logdrop-3 -j TEE --gateway 10.0.0.2
+-A logdrop-3 -j DROP
+-A logdrop-4 -m limit --limit 12/minute -j ULOG
+-A logdrop-4 -j DROP
+-A logpass-0 -m limit --limit 1/second -j LOG
+-A logpass-1 -j LOG
+-A logpass-2 -j TEE --gateway 10.0.0.1
+-A logpass-2 -j TEE --gateway 10.0.0.2
+-A logpass-3 -m limit --limit 12/minute -j ULOG
+COMMIT
+*mangle
+:FORWARD ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 2
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 2
+-A INPUT -j MARK --set-mark 3
+-A OUTPUT -j MARK --set-mark 1
+-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 3
+-A PREROUTING -i eth0 -j MARK --set-mark 1
+COMMIT
+*nat
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+:masquerade - [0:0]
+-A INPUT -j SNAT --to-source 10.1.2.3
+-A OUTPUT -j REDIRECT
+-A POSTROUTING -o eth0 -j MASQUERADE
+-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j SNAT --to-source 10.1.2.3
+-A POSTROUTING -m set --match-set awall-masquerade src -j masquerade
+-A PREROUTING -i eth0 -j REDIRECT
+-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
+-A masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
+COMMIT
+*raw
+:OUTPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A OUTPUT -j CT --notrack
+-A PREROUTING -i eth0 -j CT --notrack
+-A PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
+COMMIT
+
+# rules6-save generated by awall
+*filter
+:FORWARD DROP [0:0]
+:INPUT DROP [0:0]
+:OUTPUT DROP [0:0]
+:icmp-routing - [0:0]
+:logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
+:logaccept-2 - [0:0]
+:logaccept-3 - [0:0]
+:logdrop-0 - [0:0]
+:logdrop-1 - [0:0]
+:logdrop-2 - [0:0]
+:logdrop-3 - [0:0]
+:logdrop-4 - [0:0]
+:logpass-0 - [0:0]
+:logpass-1 - [0:0]
+:logpass-2 - [0:0]
+-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A FORWARD -j ACCEPT
+-A FORWARD -j logdrop-0
+-A FORWARD
+-A FORWARD -j ACCEPT
+-A FORWARD -j DROP
+-A FORWARD
+-A FORWARD -j logaccept-0
+-A FORWARD -j logdrop-1
+-A FORWARD -j logpass-0
+-A FORWARD -j logaccept-1
+-A FORWARD -j logdrop-2
+-A FORWARD -j logpass-1
+-A FORWARD -j logaccept-2
+-A FORWARD -j logdrop-3
+-A FORWARD -j logpass-2
+-A FORWARD -j ACCEPT
+-A FORWARD -j DROP
+-A FORWARD
+-A FORWARD -j logaccept-3
+-A FORWARD -j logdrop-4
+-A FORWARD -i eth0 -j ACCEPT
+-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth0 -o eth4 -j ACCEPT
+-A FORWARD -i eth0 -o eth5 -j ACCEPT
+-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth4 -o eth0 -j ACCEPT
+-A FORWARD -i eth5 -o eth0 -j ACCEPT
+-A FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth4 -o eth4 -j ACCEPT
+-A FORWARD -i eth4 -o eth5 -j ACCEPT
+-A FORWARD -i eth5 -o eth4 -j ACCEPT
+-A FORWARD -i eth5 -o eth5 -j ACCEPT
+-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -p icmpv6 -j icmp-routing
+-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
+-A INPUT -j TEE --gateway fc00::2
+-A INPUT -m limit --limit 1/second -j LOG
+-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -j logdrop-0
+-A INPUT
+-A INPUT -j ACCEPT
+-A INPUT -j DROP
+-A INPUT
+-A INPUT -j logaccept-0
+-A INPUT -j logdrop-1
+-A INPUT -j logpass-0
+-A INPUT -j logaccept-1
+-A INPUT -j logdrop-2
+-A INPUT -j logpass-1
+-A INPUT -j logaccept-2
+-A INPUT -j logdrop-3
+-A INPUT -j logpass-2
+-A INPUT -j ACCEPT
+-A INPUT -j DROP
+-A INPUT
+-A INPUT -j logaccept-3
+-A INPUT -j logdrop-4
+-A INPUT -i eth0 -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -p icmpv6 -j ACCEPT
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logdrop-0
+-A OUTPUT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j DROP
+-A OUTPUT
+-A OUTPUT -j logaccept-0
+-A OUTPUT -j logdrop-1
+-A OUTPUT -j logpass-0
+-A OUTPUT -j logaccept-1
+-A OUTPUT -j logdrop-2
+-A OUTPUT -j logpass-1
+-A OUTPUT -j logaccept-2
+-A OUTPUT -j logdrop-3
+-A OUTPUT -j logpass-2
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j DROP
+-A OUTPUT
+-A OUTPUT -j logaccept-3
+-A OUTPUT -j logdrop-4
+-A OUTPUT -j ACCEPT
+-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+-A OUTPUT -p icmpv6 -j ACCEPT
+-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
+-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
+-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
+-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
+-A logaccept-0 -m limit --limit 1/second -j LOG
+-A logaccept-0 -j ACCEPT
+-A logaccept-1 -j LOG
+-A logaccept-1 -j TEE --gateway fc00::1
+-A logaccept-1 -j ACCEPT
+-A logaccept-2 -j TEE --gateway fc00::2
+-A logaccept-2 -j ACCEPT
+-A logaccept-3 -j ACCEPT
+-A logdrop-0 -m limit --limit 1/second -j LOG
+-A logdrop-0 -j DROP
+-A logdrop-1 -m limit --limit 1/second -j LOG
+-A logdrop-1 -j DROP
+-A logdrop-2 -j LOG
+-A logdrop-2 -j TEE --gateway fc00::1
+-A logdrop-2 -j DROP
+-A logdrop-3 -j TEE --gateway fc00::2
+-A logdrop-3 -j DROP
+-A logdrop-4 -j DROP
+-A logpass-0 -m limit --limit 1/second -j LOG
+-A logpass-1 -j LOG
+-A logpass-1 -j TEE --gateway fc00::1
+-A logpass-2 -j TEE --gateway fc00::2
+COMMIT
+*mangle
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A INPUT -j MARK --set-mark 3
+-A OUTPUT -j MARK --set-mark 1
+-A POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 3
+-A PREROUTING -i eth0 -j MARK --set-mark 1
+COMMIT
+*raw
+:OUTPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A OUTPUT -j CT --notrack
+-A PREROUTING -i eth0 -j CT --notrack
+-A PREROUTING -i eth1 -s fc00::/7 -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
+COMMIT
+
diff --git a/test/output/filter-log/ipset-awall-masquerade b/test/output/filter-log/ipset-awall-masquerade
new file mode 100644
index 0000000..b3a47fd
--- /dev/null
+++ b/test/output/filter-log/ipset-awall-masquerade
@@ -0,0 +1,2 @@
+# ipset awall-masquerade
+hash:net family inet
diff --git a/test/output/filter-log/rules-save b/test/output/filter-log/rules-save
new file mode 100644
index 0000000..295fc45
--- /dev/null
+++ b/test/output/filter-log/rules-save
@@ -0,0 +1,214 @@
+# rules-save generated by awall
+*filter
+:FORWARD DROP [0:0]
+:INPUT DROP [0:0]
+:OUTPUT DROP [0:0]
+:icmp-routing - [0:0]
+:logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
+:logaccept-2 - [0:0]
+:logaccept-3 - [0:0]
+:logdrop-0 - [0:0]
+:logdrop-1 - [0:0]
+:logdrop-2 - [0:0]
+:logdrop-3 - [0:0]
+:logdrop-4 - [0:0]
+:logpass-0 - [0:0]
+:logpass-1 - [0:0]
+:logpass-2 - [0:0]
+:logpass-3 - [0:0]
+-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A FORWARD -j ACCEPT
+-A FORWARD -j logdrop-0
+-A FORWARD
+-A FORWARD -j ACCEPT
+-A FORWARD -j DROP
+-A FORWARD
+-A FORWARD -j logaccept-0
+-A FORWARD -j logdrop-1
+-A FORWARD -j logpass-0
+-A FORWARD -j logaccept-1
+-A FORWARD -j logdrop-2
+-A FORWARD -j logpass-1
+-A FORWARD -j logaccept-2
+-A FORWARD -j logdrop-3
+-A FORWARD -j logpass-2
+-A FORWARD -j ACCEPT
+-A FORWARD -j DROP
+-A FORWARD
+-A FORWARD -j logaccept-3
+-A FORWARD -j logdrop-4
+-A FORWARD -j logpass-3
+-A FORWARD -i eth0 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth4 -j ACCEPT
+-A FORWARD -i eth0 -o eth5 -j ACCEPT
+-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth4 -o eth0 -j ACCEPT
+-A FORWARD -i eth5 -o eth0 -j ACCEPT
+-A FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth4 -o eth4 -j ACCEPT
+-A FORWARD -i eth4 -o eth5 -j ACCEPT
+-A FORWARD -i eth5 -o eth4 -j ACCEPT
+-A FORWARD -i eth5 -o eth5 -j ACCEPT
+-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -p icmp -j icmp-routing
+-A INPUT -m limit --limit 12/minute -j ULOG
+-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
+-A INPUT -j TEE --gateway 10.0.0.2
+-A INPUT -j TEE --gateway 10.0.0.1
+-A INPUT -m limit --limit 1/second -j LOG
+-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -j logdrop-0
+-A INPUT
+-A INPUT -j ACCEPT
+-A INPUT -j DROP
+-A INPUT
+-A INPUT -j logaccept-0
+-A INPUT -j logdrop-1
+-A INPUT -j logpass-0
+-A INPUT -j logaccept-1
+-A INPUT -j logdrop-2
+-A INPUT -j logpass-1
+-A INPUT -j logaccept-2
+-A INPUT -j logdrop-3
+-A INPUT -j logpass-2
+-A INPUT -j ACCEPT
+-A INPUT -j DROP
+-A INPUT
+-A INPUT -j logaccept-3
+-A INPUT -j logdrop-4
+-A INPUT -j logpass-3
+-A INPUT -i eth0 -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -p icmp -j icmp-routing
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logdrop-0
+-A OUTPUT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j DROP
+-A OUTPUT
+-A OUTPUT -j logaccept-0
+-A OUTPUT -j logdrop-1
+-A OUTPUT -j logpass-0
+-A OUTPUT -j logaccept-1
+-A OUTPUT -j logdrop-2
+-A OUTPUT -j logpass-1
+-A OUTPUT -j logaccept-2
+-A OUTPUT -j logdrop-3
+-A OUTPUT -j logpass-2
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j DROP
+-A OUTPUT
+-A OUTPUT -j logaccept-3
+-A OUTPUT -j logdrop-4
+-A OUTPUT -j logpass-3
+-A OUTPUT -m limit --limit 12/minute -j ULOG
+-A OUTPUT -j ACCEPT
+-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A OUTPUT -p icmp -j icmp-routing
+-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
+-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
+-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
+-A logaccept-0 -m limit --limit 1/second -j LOG
+-A logaccept-0 -j ACCEPT
+-A logaccept-1 -j LOG
+-A logaccept-1 -j ACCEPT
+-A logaccept-2 -j TEE --gateway 10.0.0.1
+-A logaccept-2 -j TEE --gateway 10.0.0.2
+-A logaccept-2 -j ACCEPT
+-A logaccept-3 -m limit --limit 12/minute -j ULOG
+-A logaccept-3 -j ACCEPT
+-A logdrop-0 -m limit --limit 1/second -j LOG
+-A logdrop-0 -j DROP
+-A logdrop-1 -m limit --limit 1/second -j LOG
+-A logdrop-1 -j DROP
+-A logdrop-2 -j LOG
+-A logdrop-2 -j DROP
+-A logdrop-3 -j TEE --gateway 10.0.0.1
+-A logdrop-3 -j TEE --gateway 10.0.0.2
+-A logdrop-3 -j DROP
+-A logdrop-4 -m limit --limit 12/minute -j ULOG
+-A logdrop-4 -j DROP
+-A logpass-0 -m limit --limit 1/second -j LOG
+-A logpass-1 -j LOG
+-A logpass-2 -j TEE --gateway 10.0.0.1
+-A logpass-2 -j TEE --gateway 10.0.0.2
+-A logpass-3 -m limit --limit 12/minute -j ULOG
+COMMIT
+*mangle
+:FORWARD ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 2
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 2
+-A INPUT -j MARK --set-mark 3
+-A OUTPUT -j MARK --set-mark 1
+-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 3
+-A PREROUTING -i eth0 -j MARK --set-mark 1
+COMMIT
+*nat
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+:masquerade - [0:0]
+-A INPUT -j SNAT --to-source 10.1.2.3
+-A OUTPUT -j REDIRECT
+-A POSTROUTING -o eth0 -j MASQUERADE
+-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j SNAT --to-source 10.1.2.3
+-A POSTROUTING -m set --match-set awall-masquerade src -j masquerade
+-A PREROUTING -i eth0 -j REDIRECT
+-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
+-A masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
+COMMIT
+*raw
+:OUTPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A OUTPUT -j CT --notrack
+-A PREROUTING -i eth0 -j CT --notrack
+-A PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
+COMMIT
diff --git a/test/output/filter-log/rules6-save b/test/output/filter-log/rules6-save
new file mode 100644
index 0000000..d4e6291
--- /dev/null
+++ b/test/output/filter-log/rules6-save
@@ -0,0 +1,163 @@
+# rules6-save generated by awall
+*filter
+:FORWARD DROP [0:0]
+:INPUT DROP [0:0]
+:OUTPUT DROP [0:0]
+:icmp-routing - [0:0]
+:logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
+:logaccept-2 - [0:0]
+:logaccept-3 - [0:0]
+:logdrop-0 - [0:0]
+:logdrop-1 - [0:0]
+:logdrop-2 - [0:0]
+:logdrop-3 - [0:0]
+:logdrop-4 - [0:0]
+:logpass-0 - [0:0]
+:logpass-1 - [0:0]
+:logpass-2 - [0:0]
+-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A FORWARD -j ACCEPT
+-A FORWARD -j logdrop-0
+-A FORWARD
+-A FORWARD -j ACCEPT
+-A FORWARD -j DROP
+-A FORWARD
+-A FORWARD -j logaccept-0
+-A FORWARD -j logdrop-1
+-A FORWARD -j logpass-0
+-A FORWARD -j logaccept-1
+-A FORWARD -j logdrop-2
+-A FORWARD -j logpass-1
+-A FORWARD -j logaccept-2
+-A FORWARD -j logdrop-3
+-A FORWARD -j logpass-2
+-A FORWARD -j ACCEPT
+-A FORWARD -j DROP
+-A FORWARD
+-A FORWARD -j logaccept-3
+-A FORWARD -j logdrop-4
+-A FORWARD -i eth0 -j ACCEPT
+-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth0 -o eth4 -j ACCEPT
+-A FORWARD -i eth0 -o eth5 -j ACCEPT
+-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth4 -o eth0 -j ACCEPT
+-A FORWARD -i eth5 -o eth0 -j ACCEPT
+-A FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth4 -o eth4 -j ACCEPT
+-A FORWARD -i eth4 -o eth5 -j ACCEPT
+-A FORWARD -i eth5 -o eth4 -j ACCEPT
+-A FORWARD -i eth5 -o eth5 -j ACCEPT
+-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -p icmpv6 -j icmp-routing
+-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
+-A INPUT -j TEE --gateway fc00::2
+-A INPUT -m limit --limit 1/second -j LOG
+-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -j logdrop-0
+-A INPUT
+-A INPUT -j ACCEPT
+-A INPUT -j DROP
+-A INPUT
+-A INPUT -j logaccept-0
+-A INPUT -j logdrop-1
+-A INPUT -j logpass-0
+-A INPUT -j logaccept-1
+-A INPUT -j logdrop-2
+-A INPUT -j logpass-1
+-A INPUT -j logaccept-2
+-A INPUT -j logdrop-3
+-A INPUT -j logpass-2
+-A INPUT -j ACCEPT
+-A INPUT -j DROP
+-A INPUT
+-A INPUT -j logaccept-3
+-A INPUT -j logdrop-4
+-A INPUT -i eth0 -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -p icmpv6 -j ACCEPT
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logdrop-0
+-A OUTPUT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j DROP
+-A OUTPUT
+-A OUTPUT -j logaccept-0
+-A OUTPUT -j logdrop-1
+-A OUTPUT -j logpass-0
+-A OUTPUT -j logaccept-1
+-A OUTPUT -j logdrop-2
+-A OUTPUT -j logpass-1
+-A OUTPUT -j logaccept-2
+-A OUTPUT -j logdrop-3
+-A OUTPUT -j logpass-2
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j DROP
+-A OUTPUT
+-A OUTPUT -j logaccept-3
+-A OUTPUT -j logdrop-4
+-A OUTPUT -j ACCEPT
+-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+-A OUTPUT -p icmpv6 -j ACCEPT
+-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
+-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
+-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
+-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
+-A logaccept-0 -m limit --limit 1/second -j LOG
+-A logaccept-0 -j ACCEPT
+-A logaccept-1 -j LOG
+-A logaccept-1 -j TEE --gateway fc00::1
+-A logaccept-1 -j ACCEPT
+-A logaccept-2 -j TEE --gateway fc00::2
+-A logaccept-2 -j ACCEPT
+-A logaccept-3 -j ACCEPT
+-A logdrop-0 -m limit --limit 1/second -j LOG
+-A logdrop-0 -j DROP
+-A logdrop-1 -m limit --limit 1/second -j LOG
+-A logdrop-1 -j DROP
+-A logdrop-2 -j LOG
+-A logdrop-2 -j TEE --gateway fc00::1
+-A logdrop-2 -j DROP
+-A logdrop-3 -j TEE --gateway fc00::2
+-A logdrop-3 -j DROP
+-A logdrop-4 -j DROP
+-A logpass-0 -m limit --limit 1/second -j LOG
+-A logpass-1 -j LOG
+-A logpass-1 -j TEE --gateway fc00::1
+-A logpass-2 -j TEE --gateway fc00::2
+COMMIT
+*mangle
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A INPUT -j MARK --set-mark 3
+-A OUTPUT -j MARK --set-mark 1
+-A POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 3
+-A PREROUTING -i eth0 -j MARK --set-mark 1
+COMMIT
+*raw
+:OUTPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A OUTPUT -j CT --notrack
+-A PREROUTING -i eth0 -j CT --notrack
+-A PREROUTING -i eth1 -s fc00::/7 -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
+COMMIT
diff --git a/test/output/filter/dump b/test/output/filter/dump
index fa9c467..fdba6f8 100644
--- a/test/output/filter/dump
+++ b/test/output/filter/dump
@@ -82,244 +82,11 @@ Filter 6 {"action":"tarpit"}
inet6/raw/OUTPUT -j CT --notrack
inet6/raw/PREROUTING -j CT --notrack
-Filter 7 {}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 8 {"action":"drop"}
-(log)
- inet/filter/FORWARD -j logdrop-1
- inet/filter/INPUT -j logdrop-1
- inet/filter/OUTPUT -j logdrop-1
- inet/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-1 -j DROP
- inet6/filter/FORWARD -j logdrop-1
- inet6/filter/INPUT -j logdrop-1
- inet6/filter/OUTPUT -j logdrop-1
- inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-1 -j DROP
-
-Filter 9 {"action":"pass"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 10 {"log":false}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 11 {"action":"drop","log":false}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 12 {"action":"pass","log":false}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 13 {"log":true}
-(log)
- inet/filter/FORWARD -j logaccept-0
- inet/filter/INPUT -j logaccept-0
- inet/filter/OUTPUT -j logaccept-0
- inet/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet/filter/logaccept-0 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-0
- inet6/filter/INPUT -j logaccept-0
- inet6/filter/OUTPUT -j logaccept-0
- inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet6/filter/logaccept-0 -j ACCEPT
-
-Filter 14 {"action":"drop","log":true}
-(log)
- inet/filter/FORWARD -j logdrop-2
- inet/filter/INPUT -j logdrop-2
- inet/filter/OUTPUT -j logdrop-2
- inet/filter/logdrop-2 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-2 -j DROP
- inet6/filter/FORWARD -j logdrop-2
- inet6/filter/INPUT -j logdrop-2
- inet6/filter/OUTPUT -j logdrop-2
- inet6/filter/logdrop-2 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-2 -j DROP
-
-Filter 15 {"action":"pass","log":true}
-(log)
- inet/filter/FORWARD -j logpass-0
- inet/filter/INPUT -j logpass-0
- inet/filter/OUTPUT -j logpass-0
- inet/filter/logpass-0 -m limit --limit 1/second -j LOG
- inet6/filter/FORWARD -j logpass-0
- inet6/filter/INPUT -j logpass-0
- inet6/filter/OUTPUT -j logpass-0
- inet6/filter/logpass-0 -m limit --limit 1/second -j LOG
-
-Filter 16 {"log":"dual"}
-(log)
- inet/filter/FORWARD -j logaccept-1
- inet/filter/INPUT -j logaccept-1
- inet/filter/OUTPUT -j logaccept-1
- inet/filter/logaccept-1 -j LOG
- inet/filter/logaccept-1 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-1
- inet6/filter/INPUT -j logaccept-1
- inet6/filter/OUTPUT -j logaccept-1
- inet6/filter/logaccept-1 -j LOG
- inet6/filter/logaccept-1 -j TEE --gateway fc00::1
- inet6/filter/logaccept-1 -j ACCEPT
-
-Filter 17 {"action":"drop","log":"dual"}
-(log)
- inet/filter/FORWARD -j logdrop-3
- inet/filter/INPUT -j logdrop-3
- inet/filter/OUTPUT -j logdrop-3
- inet/filter/logdrop-3 -j LOG
- inet/filter/logdrop-3 -j DROP
- inet6/filter/FORWARD -j logdrop-3
- inet6/filter/INPUT -j logdrop-3
- inet6/filter/OUTPUT -j logdrop-3
- inet6/filter/logdrop-3 -j LOG
- inet6/filter/logdrop-3 -j TEE --gateway fc00::1
- inet6/filter/logdrop-3 -j DROP
-
-Filter 18 {"action":"pass","log":"dual"}
-(log)
- inet/filter/FORWARD -j logpass-1
- inet/filter/INPUT -j logpass-1
- inet/filter/OUTPUT -j logpass-1
- inet/filter/logpass-1 -j LOG
- inet6/filter/FORWARD -j logpass-1
- inet6/filter/INPUT -j logpass-1
- inet6/filter/OUTPUT -j logpass-1
- inet6/filter/logpass-1 -j LOG
- inet6/filter/logpass-1 -j TEE --gateway fc00::1
-
-Filter 19 {"log":"mirror"}
-(log)
- inet/filter/FORWARD -j logaccept-2
- inet/filter/INPUT -j logaccept-2
- inet/filter/OUTPUT -j logaccept-2
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2
- inet/filter/logaccept-2 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-2
- inet6/filter/INPUT -j logaccept-2
- inet6/filter/OUTPUT -j logaccept-2
- inet6/filter/logaccept-2 -j TEE --gateway fc00::2
- inet6/filter/logaccept-2 -j ACCEPT
-
-Filter 20 {"action":"drop","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logdrop-4
- inet/filter/INPUT -j logdrop-4
- inet/filter/OUTPUT -j logdrop-4
- inet/filter/logdrop-4 -j TEE --gateway 10.0.0.1
- inet/filter/logdrop-4 -j TEE --gateway 10.0.0.2
- inet/filter/logdrop-4 -j DROP
- inet6/filter/FORWARD -j logdrop-4
- inet6/filter/INPUT -j logdrop-4
- inet6/filter/OUTPUT -j logdrop-4
- inet6/filter/logdrop-4 -j TEE --gateway fc00::2
- inet6/filter/logdrop-4 -j DROP
-
-Filter 21 {"action":"pass","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logpass-2
- inet/filter/INPUT -j logpass-2
- inet/filter/OUTPUT -j logpass-2
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.1
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.2
- inet6/filter/FORWARD -j logpass-2
- inet6/filter/INPUT -j logpass-2
- inet6/filter/OUTPUT -j logpass-2
- inet6/filter/logpass-2 -j TEE --gateway fc00::2
-
-Filter 22 {"log":"none"}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 23 {"action":"drop","log":"none"}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 24 {"action":"pass","log":"none"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 25 {"log":"ulog"}
-(log)
- inet/filter/FORWARD -j logaccept-3
- inet/filter/INPUT -j logaccept-3
- inet/filter/OUTPUT -j logaccept-3
- inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG
- inet/filter/logaccept-3 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-3
- inet6/filter/INPUT -j logaccept-3
- inet6/filter/OUTPUT -j logaccept-3
- inet6/filter/logaccept-3 -j ACCEPT
-
-Filter 26 {"action":"drop","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logdrop-5
- inet/filter/INPUT -j logdrop-5
- inet/filter/OUTPUT -j logdrop-5
- inet/filter/logdrop-5 -m limit --limit 12/minute -j ULOG
- inet/filter/logdrop-5 -j DROP
- inet6/filter/FORWARD -j logdrop-5
- inet6/filter/INPUT -j logdrop-5
- inet6/filter/OUTPUT -j logdrop-5
- inet6/filter/logdrop-5 -j DROP
-
-Filter 27 {"action":"pass","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logpass-3
- inet/filter/INPUT -j logpass-3
- inet/filter/OUTPUT -j logpass-3
- inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG
-
-Filter 28 {"action":"pass","in":"_fw","log":"ulog"}
+Filter 7 {"action":"pass","in":"_fw","log":"ulog"}
(log)
inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-Filter 29 {"in":["_fw","A"]}
+Filter 8 {"in":["_fw","A"]}
(zone)
inet/filter/FORWARD -i eth0 -j ACCEPT
inet/filter/INPUT -i eth0 -j ACCEPT
@@ -328,12 +95,12 @@ Filter 29 {"in":["_fw","A"]}
inet6/filter/INPUT -i eth0 -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
-Filter 30 {"in":"B","out":"C"}
+Filter 9 {"in":"B","out":"C"}
(zone)
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-Filter 31 {"out":["_fw","B"]}
+Filter 10 {"out":["_fw","B"]}
(zone)
inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/INPUT -j ACCEPT
@@ -342,7 +109,7 @@ Filter 31 {"out":["_fw","B"]}
inet6/filter/INPUT -j ACCEPT
inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-Filter 32 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+Filter 11 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
(zone)
inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
@@ -751,20 +518,7 @@ hash:net family inet
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logdrop-5 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
:logreject-0 - [0:0]
:logtarpit-0 - [0:0]
:tarpit - [0:0]
@@ -775,27 +529,6 @@ hash:net family inet
-A FORWARD
-A FORWARD -j logreject-0
-A FORWARD -j logtarpit-0
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-1
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-5
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -859,27 +592,6 @@ hash:net family inet
-A INPUT
-A INPUT -j logreject-0
-A INPUT -j logtarpit-0
--A INPUT -j ACCEPT
--A INPUT -j logdrop-1
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-2
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-3
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-4
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-5
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
@@ -891,27 +603,6 @@ hash:net family inet
-A OUTPUT
-A OUTPUT -j logreject-0
-A OUTPUT -j logtarpit-0
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-1
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-5
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -919,33 +610,8 @@ hash:net family inet
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -m limit --limit 1/second -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j LOG
--A logdrop-3 -j DROP
--A logdrop-4 -j TEE --gateway 10.0.0.1
--A logdrop-4 -j TEE --gateway 10.0.0.2
--A logdrop-4 -j DROP
--A logdrop-5 -m limit --limit 12/minute -j ULOG
--A logdrop-5 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
-A logreject-0 -m limit --limit 1/second -j LOG
-A logreject-0 -j REJECT
-A logtarpit-0 -m limit --limit 1/second -j LOG
@@ -998,19 +664,7 @@ COMMIT
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logdrop-5 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
:logreject-0 - [0:0]
:logtarpit-0 - [0:0]
:tarpit - [0:0]
@@ -1021,26 +675,6 @@ COMMIT
-A FORWARD
-A FORWARD -j logreject-0
-A FORWARD -j logtarpit-0
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-1
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-5
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -1078,26 +712,6 @@ COMMIT
-A INPUT
-A INPUT -j logreject-0
-A INPUT -j logtarpit-0
--A INPUT -j ACCEPT
--A INPUT -j logdrop-1
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-2
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-3
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-4
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-5
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
@@ -1110,56 +724,14 @@ COMMIT
-A OUTPUT -j logreject-0
-A OUTPUT -j logtarpit-0
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-1
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-5
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -m limit --limit 1/second -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j LOG
--A logdrop-3 -j TEE --gateway fc00::1
--A logdrop-3 -j DROP
--A logdrop-4 -j TEE --gateway fc00::2
--A logdrop-4 -j DROP
--A logdrop-5 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
-A logreject-0 -m limit --limit 1/second -j LOG
-A logreject-0 -j REJECT
-A logtarpit-0 -m limit --limit 1/second -j LOG
diff --git a/test/output/filter/rules-save b/test/output/filter/rules-save
index da23150..72882d3 100644
--- a/test/output/filter/rules-save
+++ b/test/output/filter/rules-save
@@ -4,20 +4,7 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logdrop-5 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
:logreject-0 - [0:0]
:logtarpit-0 - [0:0]
:tarpit - [0:0]
@@ -28,27 +15,6 @@
-A FORWARD
-A FORWARD -j logreject-0
-A FORWARD -j logtarpit-0
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-1
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-5
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -112,27 +78,6 @@
-A INPUT
-A INPUT -j logreject-0
-A INPUT -j logtarpit-0
--A INPUT -j ACCEPT
--A INPUT -j logdrop-1
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-2
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-3
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-4
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-5
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
@@ -144,27 +89,6 @@
-A OUTPUT
-A OUTPUT -j logreject-0
-A OUTPUT -j logtarpit-0
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-1
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-5
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -172,33 +96,8 @@
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -m limit --limit 1/second -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j LOG
--A logdrop-3 -j DROP
--A logdrop-4 -j TEE --gateway 10.0.0.1
--A logdrop-4 -j TEE --gateway 10.0.0.2
--A logdrop-4 -j DROP
--A logdrop-5 -m limit --limit 12/minute -j ULOG
--A logdrop-5 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
-A logreject-0 -m limit --limit 1/second -j LOG
-A logreject-0 -j REJECT
-A logtarpit-0 -m limit --limit 1/second -j LOG
diff --git a/test/output/filter/rules6-save b/test/output/filter/rules6-save
index 0285ab6..ae0ddf1 100644
--- a/test/output/filter/rules6-save
+++ b/test/output/filter/rules6-save
@@ -4,19 +4,7 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logdrop-5 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
:logreject-0 - [0:0]
:logtarpit-0 - [0:0]
:tarpit - [0:0]
@@ -27,26 +15,6 @@
-A FORWARD
-A FORWARD -j logreject-0
-A FORWARD -j logtarpit-0
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-1
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-5
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -84,26 +52,6 @@
-A INPUT
-A INPUT -j logreject-0
-A INPUT -j logtarpit-0
--A INPUT -j ACCEPT
--A INPUT -j logdrop-1
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-2
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-3
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-4
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-5
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
@@ -116,56 +64,14 @@
-A OUTPUT -j logreject-0
-A OUTPUT -j logtarpit-0
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-1
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-5
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -m limit --limit 1/second -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j LOG
--A logdrop-3 -j TEE --gateway fc00::1
--A logdrop-3 -j DROP
--A logdrop-4 -j TEE --gateway fc00::2
--A logdrop-4 -j DROP
--A logdrop-5 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
-A logreject-0 -m limit --limit 1/second -j LOG
-A logreject-0 -j REJECT
-A logtarpit-0 -m limit --limit 1/second -j LOG
diff --git a/test/output/ipset/dump b/test/output/ipset/dump
index 947f681..e637773 100644
--- a/test/output/ipset/dump
+++ b/test/output/ipset/dump
@@ -23,244 +23,11 @@ Filter 1 {"action":"drop","in":"A","ipset":[{"args":["in","
inet6/filter/logdrop-ssh-0 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-ssh-0 -j DROP
-Filter 2 {}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 3 {"action":"drop"}
-(log)
- inet/filter/FORWARD -j logdrop-0
- inet/filter/INPUT -j logdrop-0
- inet/filter/OUTPUT -j logdrop-0
- inet/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-0 -j DROP
- inet6/filter/FORWARD -j logdrop-0
- inet6/filter/INPUT -j logdrop-0
- inet6/filter/OUTPUT -j logdrop-0
- inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-0 -j DROP
-
-Filter 4 {"action":"pass"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 5 {"log":false}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 6 {"action":"drop","log":false}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 7 {"action":"pass","log":false}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 8 {"log":true}
-(log)
- inet/filter/FORWARD -j logaccept-0
- inet/filter/INPUT -j logaccept-0
- inet/filter/OUTPUT -j logaccept-0
- inet/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet/filter/logaccept-0 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-0
- inet6/filter/INPUT -j logaccept-0
- inet6/filter/OUTPUT -j logaccept-0
- inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet6/filter/logaccept-0 -j ACCEPT
-
-Filter 9 {"action":"drop","log":true}
-(log)
- inet/filter/FORWARD -j logdrop-1
- inet/filter/INPUT -j logdrop-1
- inet/filter/OUTPUT -j logdrop-1
- inet/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-1 -j DROP
- inet6/filter/FORWARD -j logdrop-1
- inet6/filter/INPUT -j logdrop-1
- inet6/filter/OUTPUT -j logdrop-1
- inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-1 -j DROP
-
-Filter 10 {"action":"pass","log":true}
-(log)
- inet/filter/FORWARD -j logpass-0
- inet/filter/INPUT -j logpass-0
- inet/filter/OUTPUT -j logpass-0
- inet/filter/logpass-0 -m limit --limit 1/second -j LOG
- inet6/filter/FORWARD -j logpass-0
- inet6/filter/INPUT -j logpass-0
- inet6/filter/OUTPUT -j logpass-0
- inet6/filter/logpass-0 -m limit --limit 1/second -j LOG
-
-Filter 11 {"log":"dual"}
-(log)
- inet/filter/FORWARD -j logaccept-1
- inet/filter/INPUT -j logaccept-1
- inet/filter/OUTPUT -j logaccept-1
- inet/filter/logaccept-1 -j LOG
- inet/filter/logaccept-1 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-1
- inet6/filter/INPUT -j logaccept-1
- inet6/filter/OUTPUT -j logaccept-1
- inet6/filter/logaccept-1 -j LOG
- inet6/filter/logaccept-1 -j TEE --gateway fc00::1
- inet6/filter/logaccept-1 -j ACCEPT
-
-Filter 12 {"action":"drop","log":"dual"}
-(log)
- inet/filter/FORWARD -j logdrop-2
- inet/filter/INPUT -j logdrop-2
- inet/filter/OUTPUT -j logdrop-2
- inet/filter/logdrop-2 -j LOG
- inet/filter/logdrop-2 -j DROP
- inet6/filter/FORWARD -j logdrop-2
- inet6/filter/INPUT -j logdrop-2
- inet6/filter/OUTPUT -j logdrop-2
- inet6/filter/logdrop-2 -j LOG
- inet6/filter/logdrop-2 -j TEE --gateway fc00::1
- inet6/filter/logdrop-2 -j DROP
-
-Filter 13 {"action":"pass","log":"dual"}
-(log)
- inet/filter/FORWARD -j logpass-1
- inet/filter/INPUT -j logpass-1
- inet/filter/OUTPUT -j logpass-1
- inet/filter/logpass-1 -j LOG
- inet6/filter/FORWARD -j logpass-1
- inet6/filter/INPUT -j logpass-1
- inet6/filter/OUTPUT -j logpass-1
- inet6/filter/logpass-1 -j LOG
- inet6/filter/logpass-1 -j TEE --gateway fc00::1
-
-Filter 14 {"log":"mirror"}
-(log)
- inet/filter/FORWARD -j logaccept-2
- inet/filter/INPUT -j logaccept-2
- inet/filter/OUTPUT -j logaccept-2
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2
- inet/filter/logaccept-2 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-2
- inet6/filter/INPUT -j logaccept-2
- inet6/filter/OUTPUT -j logaccept-2
- inet6/filter/logaccept-2 -j TEE --gateway fc00::2
- inet6/filter/logaccept-2 -j ACCEPT
-
-Filter 15 {"action":"drop","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logdrop-3
- inet/filter/INPUT -j logdrop-3
- inet/filter/OUTPUT -j logdrop-3
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2
- inet/filter/logdrop-3 -j DROP
- inet6/filter/FORWARD -j logdrop-3
- inet6/filter/INPUT -j logdrop-3
- inet6/filter/OUTPUT -j logdrop-3
- inet6/filter/logdrop-3 -j TEE --gateway fc00::2
- inet6/filter/logdrop-3 -j DROP
-
-Filter 16 {"action":"pass","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logpass-2
- inet/filter/INPUT -j logpass-2
- inet/filter/OUTPUT -j logpass-2
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.1
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.2
- inet6/filter/FORWARD -j logpass-2
- inet6/filter/INPUT -j logpass-2
- inet6/filter/OUTPUT -j logpass-2
- inet6/filter/logpass-2 -j TEE --gateway fc00::2
-
-Filter 17 {"log":"none"}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 18 {"action":"drop","log":"none"}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 19 {"action":"pass","log":"none"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 20 {"log":"ulog"}
-(log)
- inet/filter/FORWARD -j logaccept-3
- inet/filter/INPUT -j logaccept-3
- inet/filter/OUTPUT -j logaccept-3
- inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG
- inet/filter/logaccept-3 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-3
- inet6/filter/INPUT -j logaccept-3
- inet6/filter/OUTPUT -j logaccept-3
- inet6/filter/logaccept-3 -j ACCEPT
-
-Filter 21 {"action":"drop","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logdrop-4
- inet/filter/INPUT -j logdrop-4
- inet/filter/OUTPUT -j logdrop-4
- inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG
- inet/filter/logdrop-4 -j DROP
- inet6/filter/FORWARD -j logdrop-4
- inet6/filter/INPUT -j logdrop-4
- inet6/filter/OUTPUT -j logdrop-4
- inet6/filter/logdrop-4 -j DROP
-
-Filter 22 {"action":"pass","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logpass-3
- inet/filter/INPUT -j logpass-3
- inet/filter/OUTPUT -j logpass-3
- inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG
-
-Filter 23 {"action":"pass","in":"_fw","log":"ulog"}
+Filter 2 {"action":"pass","in":"_fw","log":"ulog"}
(log)
inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-Filter 24 {"in":["_fw","A"]}
+Filter 3 {"in":["_fw","A"]}
(zone)
inet/filter/FORWARD -i eth0 -j ACCEPT
inet/filter/INPUT -i eth0 -j ACCEPT
@@ -269,12 +36,12 @@ Filter 24 {"in":["_fw","A"]}
inet6/filter/INPUT -i eth0 -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
-Filter 25 {"in":"B","out":"C"}
+Filter 4 {"in":"B","out":"C"}
(zone)
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-Filter 26 {"out":["_fw","B"]}
+Filter 5 {"out":["_fw","B"]}
(zone)
inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/INPUT -j ACCEPT
@@ -283,7 +50,7 @@ Filter 26 {"out":["_fw","B"]}
inet6/filter/INPUT -j ACCEPT
inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-Filter 27 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+Filter 6 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
(zone)
inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
@@ -704,43 +471,9 @@ hash:net,iface family inet
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
:logdrop-ssh-0 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m set --match-set foo src,dst -p tcp --dport 22 -j logdrop-ssh-0
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -799,53 +532,11 @@ hash:net,iface family inet
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m set --match-set foo src,dst -p tcp --dport 22 -j logdrop-ssh-0
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -853,33 +544,8 @@ hash:net,iface family inet
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
-A logdrop-ssh-0 -m limit --limit 1/second -j LOG
-A logdrop-ssh-0 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
@@ -924,41 +590,9 @@ COMMIT
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
:logdrop-ssh-0 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m set --match-set bar src -p tcp --dport 22 -j logdrop-ssh-0
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -991,82 +625,20 @@ COMMIT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m set --match-set bar src -p tcp --dport 22 -j logdrop-ssh-0
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
-A logdrop-ssh-0 -m limit --limit 1/second -j LOG
-A logdrop-ssh-0 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/ipset/rules-save b/test/output/ipset/rules-save
index 9911a0b..eb1127b 100644
--- a/test/output/ipset/rules-save
+++ b/test/output/ipset/rules-save
@@ -4,43 +4,9 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
:logdrop-ssh-0 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m set --match-set foo src,dst -p tcp --dport 22 -j logdrop-ssh-0
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -99,53 +65,11 @@
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m set --match-set foo src,dst -p tcp --dport 22 -j logdrop-ssh-0
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -153,33 +77,8 @@
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
-A logdrop-ssh-0 -m limit --limit 1/second -j LOG
-A logdrop-ssh-0 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
diff --git a/test/output/ipset/rules6-save b/test/output/ipset/rules6-save
index b2d2565..259e8d3 100644
--- a/test/output/ipset/rules6-save
+++ b/test/output/ipset/rules6-save
@@ -4,41 +4,9 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
:logdrop-ssh-0 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m set --match-set bar src -p tcp --dport 22 -j logdrop-ssh-0
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -71,82 +39,20 @@
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m set --match-set bar src -p tcp --dport 22 -j logdrop-ssh-0
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
-A logdrop-ssh-0 -m limit --limit 1/second -j LOG
-A logdrop-ssh-0 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/nat/dump b/test/output/nat/dump
index b9620bb..c533b7a 100644
--- a/test/output/nat/dump
+++ b/test/output/nat/dump
@@ -158,336 +158,103 @@ Dnat 36 {"in":"B"}
inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-Filter 1 {}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 2 {"action":"drop"}
-(log)
- inet/filter/FORWARD -j logdrop-0
- inet/filter/INPUT -j logdrop-0
- inet/filter/OUTPUT -j logdrop-0
- inet/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-0 -j DROP
- inet6/filter/FORWARD -j logdrop-0
- inet6/filter/INPUT -j logdrop-0
- inet6/filter/OUTPUT -j logdrop-0
- inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-0 -j DROP
-
-Filter 3 {"action":"pass"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 4 {"log":false}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 5 {"action":"drop","log":false}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 6 {"action":"pass","log":false}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 7 {"log":true}
-(log)
- inet/filter/FORWARD -j logaccept-0
- inet/filter/INPUT -j logaccept-0
- inet/filter/OUTPUT -j logaccept-0
- inet/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet/filter/logaccept-0 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-0
- inet6/filter/INPUT -j logaccept-0
- inet6/filter/OUTPUT -j logaccept-0
- inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet6/filter/logaccept-0 -j ACCEPT
-
-Filter 8 {"action":"drop","log":true}
-(log)
- inet/filter/FORWARD -j logdrop-1
- inet/filter/INPUT -j logdrop-1
- inet/filter/OUTPUT -j logdrop-1
- inet/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-1 -j DROP
- inet6/filter/FORWARD -j logdrop-1
- inet6/filter/INPUT -j logdrop-1
- inet6/filter/OUTPUT -j logdrop-1
- inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-1 -j DROP
-
-Filter 9 {"action":"pass","log":true}
-(log)
- inet/filter/FORWARD -j logpass-0
- inet/filter/INPUT -j logpass-0
- inet/filter/OUTPUT -j logpass-0
- inet/filter/logpass-0 -m limit --limit 1/second -j LOG
- inet6/filter/FORWARD -j logpass-0
- inet6/filter/INPUT -j logpass-0
- inet6/filter/OUTPUT -j logpass-0
- inet6/filter/logpass-0 -m limit --limit 1/second -j LOG
-
-Filter 10 {"log":"dual"}
-(log)
- inet/filter/FORWARD -j logaccept-1
- inet/filter/INPUT -j logaccept-1
- inet/filter/OUTPUT -j logaccept-1
- inet/filter/logaccept-1 -j LOG
- inet/filter/logaccept-1 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-1
- inet6/filter/INPUT -j logaccept-1
- inet6/filter/OUTPUT -j logaccept-1
- inet6/filter/logaccept-1 -j LOG
- inet6/filter/logaccept-1 -j TEE --gateway fc00::1
- inet6/filter/logaccept-1 -j ACCEPT
-
-Filter 11 {"action":"drop","log":"dual"}
-(log)
- inet/filter/FORWARD -j logdrop-2
- inet/filter/INPUT -j logdrop-2
- inet/filter/OUTPUT -j logdrop-2
- inet/filter/logdrop-2 -j LOG
- inet/filter/logdrop-2 -j DROP
- inet6/filter/FORWARD -j logdrop-2
- inet6/filter/INPUT -j logdrop-2
- inet6/filter/OUTPUT -j logdrop-2
- inet6/filter/logdrop-2 -j LOG
- inet6/filter/logdrop-2 -j TEE --gateway fc00::1
- inet6/filter/logdrop-2 -j DROP
-
-Filter 12 {"action":"pass","log":"dual"}
-(log)
- inet/filter/FORWARD -j logpass-1
- inet/filter/INPUT -j logpass-1
- inet/filter/OUTPUT -j logpass-1
- inet/filter/logpass-1 -j LOG
- inet6/filter/FORWARD -j logpass-1
- inet6/filter/INPUT -j logpass-1
- inet6/filter/OUTPUT -j logpass-1
- inet6/filter/logpass-1 -j LOG
- inet6/filter/logpass-1 -j TEE --gateway fc00::1
-
-Filter 13 {"log":"mirror"}
-(log)
- inet/filter/FORWARD -j logaccept-2
- inet/filter/INPUT -j logaccept-2
- inet/filter/OUTPUT -j logaccept-2
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2
- inet/filter/logaccept-2 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-2
- inet6/filter/INPUT -j logaccept-2
- inet6/filter/OUTPUT -j logaccept-2
- inet6/filter/logaccept-2 -j TEE --gateway fc00::2
- inet6/filter/logaccept-2 -j ACCEPT
-
-Filter 14 {"action":"drop","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logdrop-3
- inet/filter/INPUT -j logdrop-3
- inet/filter/OUTPUT -j logdrop-3
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2
- inet/filter/logdrop-3 -j DROP
- inet6/filter/FORWARD -j logdrop-3
- inet6/filter/INPUT -j logdrop-3
- inet6/filter/OUTPUT -j logdrop-3
- inet6/filter/logdrop-3 -j TEE --gateway fc00::2
- inet6/filter/logdrop-3 -j DROP
-
-Filter 15 {"action":"pass","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logpass-2
- inet/filter/INPUT -j logpass-2
- inet/filter/OUTPUT -j logpass-2
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.1
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.2
- inet6/filter/FORWARD -j logpass-2
- inet6/filter/INPUT -j logpass-2
- inet6/filter/OUTPUT -j logpass-2
- inet6/filter/logpass-2 -j TEE --gateway fc00::2
-
-Filter 16 {"log":"none"}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 17 {"action":"drop","log":"none"}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 18 {"action":"pass","log":"none"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 19 {"log":"ulog"}
-(log)
- inet/filter/FORWARD -j logaccept-3
- inet/filter/INPUT -j logaccept-3
- inet/filter/OUTPUT -j logaccept-3
- inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG
- inet/filter/logaccept-3 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-3
- inet6/filter/INPUT -j logaccept-3
- inet6/filter/OUTPUT -j logaccept-3
- inet6/filter/logaccept-3 -j ACCEPT
-
-Filter 20 {"action":"drop","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logdrop-4
- inet/filter/INPUT -j logdrop-4
- inet/filter/OUTPUT -j logdrop-4
- inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG
- inet/filter/logdrop-4 -j DROP
- inet6/filter/FORWARD -j logdrop-4
- inet6/filter/INPUT -j logdrop-4
- inet6/filter/OUTPUT -j logdrop-4
- inet6/filter/logdrop-4 -j DROP
-
-Filter 21 {"action":"pass","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logpass-3
- inet/filter/INPUT -j logpass-3
- inet/filter/OUTPUT -j logpass-3
- inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG
-
-Filter 22 {"action":"pass","in":"_fw","log":"ulog"}
-(log)
- inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-
-Filter 23 {"in":["_fw","A"]}
-(zone)
- inet/filter/FORWARD -i eth0 -j ACCEPT
- inet/filter/INPUT -i eth0 -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -i eth0 -j ACCEPT
- inet6/filter/INPUT -i eth0 -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 24 {"in":"B","out":"C"}
-(zone)
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+Filter 1 {"action":"pass","in":"_fw","log":"ulog"}
+(log)
+ inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-Filter 25 {"out":["_fw","B"]}
-(zone)
- inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-
-Filter 26 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
-(zone)
- inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+Filter 2 {"in":["_fw","A"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -j ACCEPT
+ inet/filter/INPUT -i eth0 -j ACCEPT
+ inet/filter/OUTPUT -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -j ACCEPT
+ inet6/filter/INPUT -i eth0 -j ACCEPT
+ inet6/filter/OUTPUT -j ACCEPT
+
+Filter 3 {"in":"B","out":"C"}
+(zone)
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+
+Filter 4 {"out":["_fw","B"]}
+(zone)
+ inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/INPUT -j ACCEPT
+ inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/INPUT -j ACCEPT
+ inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+
+Filter 5 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
Ipset awall-masquerade {"family":"inet","type":"hash:net"}
@@ -973,41 +740,7 @@ hash:net family inet
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -1065,53 +798,11 @@ hash:net family inet
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -1119,31 +810,6 @@ hash:net family inet
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
@@ -1236,39 +902,7 @@ COMMIT
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -1300,80 +934,18 @@ COMMIT
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/nat/rules-save b/test/output/nat/rules-save
index 6cb780f..87177d5 100644
--- a/test/output/nat/rules-save
+++ b/test/output/nat/rules-save
@@ -4,41 +4,7 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -96,53 +62,11 @@
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -150,31 +74,6 @@
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
diff --git a/test/output/nat/rules6-save b/test/output/nat/rules6-save
index 6eb67fc..205fe05 100644
--- a/test/output/nat/rules6-save
+++ b/test/output/nat/rules6-save
@@ -4,39 +4,7 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -68,80 +36,18 @@
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/no-track/dump b/test/output/no-track/dump
index cc045e3..664c09b 100644
--- a/test/output/no-track/dump
+++ b/test/output/no-track/dump
@@ -12,402 +12,169 @@ Dnat 2 {"in":"B"}
inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-Filter 1 {}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 2 {"action":"drop"}
-(log)
- inet/filter/FORWARD -j logdrop-0
- inet/filter/INPUT -j logdrop-0
- inet/filter/OUTPUT -j logdrop-0
- inet/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-0 -j DROP
- inet6/filter/FORWARD -j logdrop-0
- inet6/filter/INPUT -j logdrop-0
- inet6/filter/OUTPUT -j logdrop-0
- inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-0 -j DROP
-
-Filter 3 {"action":"pass"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 4 {"log":false}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 5 {"action":"drop","log":false}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 6 {"action":"pass","log":false}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 7 {"log":true}
-(log)
- inet/filter/FORWARD -j logaccept-0
- inet/filter/INPUT -j logaccept-0
- inet/filter/OUTPUT -j logaccept-0
- inet/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet/filter/logaccept-0 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-0
- inet6/filter/INPUT -j logaccept-0
- inet6/filter/OUTPUT -j logaccept-0
- inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet6/filter/logaccept-0 -j ACCEPT
-
-Filter 8 {"action":"drop","log":true}
-(log)
- inet/filter/FORWARD -j logdrop-1
- inet/filter/INPUT -j logdrop-1
- inet/filter/OUTPUT -j logdrop-1
- inet/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-1 -j DROP
- inet6/filter/FORWARD -j logdrop-1
- inet6/filter/INPUT -j logdrop-1
- inet6/filter/OUTPUT -j logdrop-1
- inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-1 -j DROP
-
-Filter 9 {"action":"pass","log":true}
-(log)
- inet/filter/FORWARD -j logpass-0
- inet/filter/INPUT -j logpass-0
- inet/filter/OUTPUT -j logpass-0
- inet/filter/logpass-0 -m limit --limit 1/second -j LOG
- inet6/filter/FORWARD -j logpass-0
- inet6/filter/INPUT -j logpass-0
- inet6/filter/OUTPUT -j logpass-0
- inet6/filter/logpass-0 -m limit --limit 1/second -j LOG
-
-Filter 10 {"log":"dual"}
-(log)
- inet/filter/FORWARD -j logaccept-1
- inet/filter/INPUT -j logaccept-1
- inet/filter/OUTPUT -j logaccept-1
- inet/filter/logaccept-1 -j LOG
- inet/filter/logaccept-1 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-1
- inet6/filter/INPUT -j logaccept-1
- inet6/filter/OUTPUT -j logaccept-1
- inet6/filter/logaccept-1 -j LOG
- inet6/filter/logaccept-1 -j TEE --gateway fc00::1
- inet6/filter/logaccept-1 -j ACCEPT
-
-Filter 11 {"action":"drop","log":"dual"}
-(log)
- inet/filter/FORWARD -j logdrop-2
- inet/filter/INPUT -j logdrop-2
- inet/filter/OUTPUT -j logdrop-2
- inet/filter/logdrop-2 -j LOG
- inet/filter/logdrop-2 -j DROP
- inet6/filter/FORWARD -j logdrop-2
- inet6/filter/INPUT -j logdrop-2
- inet6/filter/OUTPUT -j logdrop-2
- inet6/filter/logdrop-2 -j LOG
- inet6/filter/logdrop-2 -j TEE --gateway fc00::1
- inet6/filter/logdrop-2 -j DROP
-
-Filter 12 {"action":"pass","log":"dual"}
-(log)
- inet/filter/FORWARD -j logpass-1
- inet/filter/INPUT -j logpass-1
- inet/filter/OUTPUT -j logpass-1
- inet/filter/logpass-1 -j LOG
- inet6/filter/FORWARD -j logpass-1
- inet6/filter/INPUT -j logpass-1
- inet6/filter/OUTPUT -j logpass-1
- inet6/filter/logpass-1 -j LOG
- inet6/filter/logpass-1 -j TEE --gateway fc00::1
-
-Filter 13 {"log":"mirror"}
-(log)
- inet/filter/FORWARD -j logaccept-2
- inet/filter/INPUT -j logaccept-2
- inet/filter/OUTPUT -j logaccept-2
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2
- inet/filter/logaccept-2 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-2
- inet6/filter/INPUT -j logaccept-2
- inet6/filter/OUTPUT -j logaccept-2
- inet6/filter/logaccept-2 -j TEE --gateway fc00::2
- inet6/filter/logaccept-2 -j ACCEPT
-
-Filter 14 {"action":"drop","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logdrop-3
- inet/filter/INPUT -j logdrop-3
- inet/filter/OUTPUT -j logdrop-3
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2
- inet/filter/logdrop-3 -j DROP
- inet6/filter/FORWARD -j logdrop-3
- inet6/filter/INPUT -j logdrop-3
- inet6/filter/OUTPUT -j logdrop-3
- inet6/filter/logdrop-3 -j TEE --gateway fc00::2
- inet6/filter/logdrop-3 -j DROP
-
-Filter 15 {"action":"pass","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logpass-2
- inet/filter/INPUT -j logpass-2
- inet/filter/OUTPUT -j logpass-2
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.1
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.2
- inet6/filter/FORWARD -j logpass-2
- inet6/filter/INPUT -j logpass-2
- inet6/filter/OUTPUT -j logpass-2
- inet6/filter/logpass-2 -j TEE --gateway fc00::2
-
-Filter 16 {"log":"none"}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 17 {"action":"drop","log":"none"}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 18 {"action":"pass","log":"none"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 19 {"log":"ulog"}
-(log)
- inet/filter/FORWARD -j logaccept-3
- inet/filter/INPUT -j logaccept-3
- inet/filter/OUTPUT -j logaccept-3
- inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG
- inet/filter/logaccept-3 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-3
- inet6/filter/INPUT -j logaccept-3
- inet6/filter/OUTPUT -j logaccept-3
- inet6/filter/logaccept-3 -j ACCEPT
-
-Filter 20 {"action":"drop","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logdrop-4
- inet/filter/INPUT -j logdrop-4
- inet/filter/OUTPUT -j logdrop-4
- inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG
- inet/filter/logdrop-4 -j DROP
- inet6/filter/FORWARD -j logdrop-4
- inet6/filter/INPUT -j logdrop-4
- inet6/filter/OUTPUT -j logdrop-4
- inet6/filter/logdrop-4 -j DROP
-
-Filter 21 {"action":"pass","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logpass-3
- inet/filter/INPUT -j logpass-3
- inet/filter/OUTPUT -j logpass-3
- inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG
-
-Filter 22 {"action":"pass","in":"_fw","log":"ulog"}
-(log)
- inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-
-Filter 23 {"in":"_fw","no-track":true,"service":"http"}
-(no-track)
- inet/filter/INPUT -p tcp --sport 80 -j ACCEPT
- inet/filter/OUTPUT -p tcp --dport 80 -j ACCEPT
- inet/raw/OUTPUT -p tcp --dport 80 -j CT --notrack
- inet/raw/PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack
- inet6/filter/INPUT -p tcp --sport 80 -j ACCEPT
- inet6/filter/OUTPUT -p tcp --dport 80 -j ACCEPT
- inet6/raw/OUTPUT -p tcp --dport 80 -j CT --notrack
- inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack
-
-Filter 24 {"dest":"172.17.0.0\/16","no-track":true,"service":"radius","src":"172.16.0.0\/16"}
-(no-track)
- inet/filter/FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
- inet/filter/FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
- inet/filter/FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
- inet/filter/FORWARD -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
- inet/filter/INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
- inet/filter/INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
- inet/filter/INPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
- inet/filter/INPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
- inet/filter/OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
- inet/filter/OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
- inet/filter/OUTPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
- inet/filter/OUTPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
- inet/raw/OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
- inet/raw/OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
- inet/raw/OUTPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
- inet/raw/OUTPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
- inet/raw/PREROUTING -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
- inet/raw/PREROUTING -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
- inet/raw/PREROUTING -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
- inet/raw/PREROUTING -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
-
-Filter 25 {"dest":"172.18.0.0\/16","no-track":true,"service":"ssh"}
-(no-track)
- inet/filter/FORWARD -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
- inet/filter/FORWARD -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
- inet/filter/INPUT -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
- inet/filter/INPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
- inet/filter/OUTPUT -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
- inet/filter/OUTPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
- inet/raw/OUTPUT -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack
- inet/raw/OUTPUT -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack
- inet/raw/PREROUTING -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack
- inet/raw/PREROUTING -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack
-
-Filter 26 {"no-track":true,"out":"_fw","service":"ipsec"}
-(no-track)
- inet/filter/INPUT -p esp -j ACCEPT
- inet/filter/INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
- inet/filter/OUTPUT -p esp -j ACCEPT
- inet/filter/OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT
- inet/raw/OUTPUT -p esp -j CT --notrack
- inet/raw/OUTPUT -p udp -m multiport --sports 500,4500 -j CT --notrack
- inet/raw/PREROUTING -m addrtype --dst-type LOCAL -p esp -j CT --notrack
- inet/raw/PREROUTING -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack
- inet6/filter/INPUT -p esp -j ACCEPT
- inet6/filter/INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
- inet6/filter/OUTPUT -p esp -j ACCEPT
- inet6/filter/OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT
- inet6/raw/OUTPUT -p esp -j CT --notrack
- inet6/raw/OUTPUT -p udp -m multiport --sports 500,4500 -j CT --notrack
- inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p esp -j CT --notrack
- inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack
-
-Filter 27 {"in":["_fw","A"]}
-(zone)
- inet/filter/FORWARD -i eth0 -j ACCEPT
- inet/filter/INPUT -i eth0 -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -i eth0 -j ACCEPT
- inet6/filter/INPUT -i eth0 -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 28 {"in":"B","out":"C"}
-(zone)
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+Filter 1 {"action":"pass","in":"_fw","log":"ulog"}
+(log)
+ inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
+
+Filter 2 {"in":"_fw","no-track":true,"service":"http"}
+(no-track)
+ inet/filter/INPUT -p tcp --sport 80 -j ACCEPT
+ inet/filter/OUTPUT -p tcp --dport 80 -j ACCEPT
+ inet/raw/OUTPUT -p tcp --dport 80 -j CT --notrack
+ inet/raw/PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack
+ inet6/filter/INPUT -p tcp --sport 80 -j ACCEPT
+ inet6/filter/OUTPUT -p tcp --dport 80 -j ACCEPT
+ inet6/raw/OUTPUT -p tcp --dport 80 -j CT --notrack
+ inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack
+
+Filter 3 {"dest":"172.17.0.0\/16","no-track":true,"service":"radius","src":"172.16.0.0\/16"}
+(no-track)
+ inet/filter/FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+ inet/filter/FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+ inet/filter/FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+ inet/filter/FORWARD -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+ inet/filter/INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+ inet/filter/INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+ inet/filter/INPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+ inet/filter/INPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+ inet/filter/OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+ inet/filter/OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+ inet/filter/OUTPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+ inet/filter/OUTPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+ inet/raw/OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+ inet/raw/OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+ inet/raw/OUTPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+ inet/raw/OUTPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+ inet/raw/PREROUTING -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+ inet/raw/PREROUTING -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+ inet/raw/PREROUTING -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+ inet/raw/PREROUTING -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+
+Filter 4 {"dest":"172.18.0.0\/16","no-track":true,"service":"ssh"}
+(no-track)
+ inet/filter/FORWARD -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
+ inet/filter/FORWARD -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
+ inet/filter/INPUT -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
+ inet/filter/INPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
+ inet/filter/OUTPUT -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
+ inet/filter/OUTPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
+ inet/raw/OUTPUT -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack
+ inet/raw/OUTPUT -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack
+ inet/raw/PREROUTING -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack
+ inet/raw/PREROUTING -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack
+
+Filter 5 {"no-track":true,"out":"_fw","service":"ipsec"}
+(no-track)
+ inet/filter/INPUT -p esp -j ACCEPT
+ inet/filter/INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
+ inet/filter/OUTPUT -p esp -j ACCEPT
+ inet/filter/OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT
+ inet/raw/OUTPUT -p esp -j CT --notrack
+ inet/raw/OUTPUT -p udp -m multiport --sports 500,4500 -j CT --notrack
+ inet/raw/PREROUTING -m addrtype --dst-type LOCAL -p esp -j CT --notrack
+ inet/raw/PREROUTING -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack
+ inet6/filter/INPUT -p esp -j ACCEPT
+ inet6/filter/INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
+ inet6/filter/OUTPUT -p esp -j ACCEPT
+ inet6/filter/OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT
+ inet6/raw/OUTPUT -p esp -j CT --notrack
+ inet6/raw/OUTPUT -p udp -m multiport --sports 500,4500 -j CT --notrack
+ inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p esp -j CT --notrack
+ inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack
+
+Filter 6 {"in":["_fw","A"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -j ACCEPT
+ inet/filter/INPUT -i eth0 -j ACCEPT
+ inet/filter/OUTPUT -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -j ACCEPT
+ inet6/filter/INPUT -i eth0 -j ACCEPT
+ inet6/filter/OUTPUT -j ACCEPT
+
+Filter 7 {"in":"B","out":"C"}
+(zone)
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-Filter 29 {"out":["_fw","B"]}
-(zone)
- inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-
-Filter 30 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
-(zone)
- inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+Filter 8 {"out":["_fw","B"]}
+(zone)
+ inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/INPUT -j ACCEPT
+ inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/INPUT -j ACCEPT
+ inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+
+Filter 9 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
Ipset awall-masquerade {"family":"inet","type":"hash:net"}
@@ -747,41 +514,7 @@ hash:net family inet
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
@@ -845,27 +578,6 @@ hash:net family inet
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -p tcp --sport 80 -j ACCEPT
-A INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
@@ -880,27 +592,6 @@ hash:net family inet
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
@@ -917,31 +608,6 @@ hash:net family inet
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
@@ -1004,39 +670,7 @@ COMMIT
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -1068,26 +702,6 @@ COMMIT
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -p tcp --sport 80 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
@@ -1096,26 +710,6 @@ COMMIT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT
@@ -1126,28 +720,6 @@ COMMIT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/no-track/rules-save b/test/output/no-track/rules-save
index 807fa87..e4c2914 100644
--- a/test/output/no-track/rules-save
+++ b/test/output/no-track/rules-save
@@ -4,41 +4,7 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
@@ -102,27 +68,6 @@
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -p tcp --sport 80 -j ACCEPT
-A INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
@@ -137,27 +82,6 @@
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
@@ -174,31 +98,6 @@
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
diff --git a/test/output/no-track/rules6-save b/test/output/no-track/rules6-save
index f742fd3..75fed77 100644
--- a/test/output/no-track/rules6-save
+++ b/test/output/no-track/rules6-save
@@ -4,39 +4,7 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -68,26 +36,6 @@
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -p tcp --sport 80 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
@@ -96,26 +44,6 @@
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT
@@ -126,28 +54,6 @@
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/route-track/dump b/test/output/route-track/dump
index 70862d9..01d1004 100644
--- a/test/output/route-track/dump
+++ b/test/output/route-track/dump
@@ -12,336 +12,103 @@ Dnat 2 {"in":"B"}
inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-Filter 1 {}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 2 {"action":"drop"}
-(log)
- inet/filter/FORWARD -j logdrop-0
- inet/filter/INPUT -j logdrop-0
- inet/filter/OUTPUT -j logdrop-0
- inet/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-0 -j DROP
- inet6/filter/FORWARD -j logdrop-0
- inet6/filter/INPUT -j logdrop-0
- inet6/filter/OUTPUT -j logdrop-0
- inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-0 -j DROP
-
-Filter 3 {"action":"pass"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 4 {"log":false}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 5 {"action":"drop","log":false}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 6 {"action":"pass","log":false}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 7 {"log":true}
-(log)
- inet/filter/FORWARD -j logaccept-0
- inet/filter/INPUT -j logaccept-0
- inet/filter/OUTPUT -j logaccept-0
- inet/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet/filter/logaccept-0 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-0
- inet6/filter/INPUT -j logaccept-0
- inet6/filter/OUTPUT -j logaccept-0
- inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet6/filter/logaccept-0 -j ACCEPT
-
-Filter 8 {"action":"drop","log":true}
-(log)
- inet/filter/FORWARD -j logdrop-1
- inet/filter/INPUT -j logdrop-1
- inet/filter/OUTPUT -j logdrop-1
- inet/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-1 -j DROP
- inet6/filter/FORWARD -j logdrop-1
- inet6/filter/INPUT -j logdrop-1
- inet6/filter/OUTPUT -j logdrop-1
- inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-1 -j DROP
-
-Filter 9 {"action":"pass","log":true}
-(log)
- inet/filter/FORWARD -j logpass-0
- inet/filter/INPUT -j logpass-0
- inet/filter/OUTPUT -j logpass-0
- inet/filter/logpass-0 -m limit --limit 1/second -j LOG
- inet6/filter/FORWARD -j logpass-0
- inet6/filter/INPUT -j logpass-0
- inet6/filter/OUTPUT -j logpass-0
- inet6/filter/logpass-0 -m limit --limit 1/second -j LOG
-
-Filter 10 {"log":"dual"}
-(log)
- inet/filter/FORWARD -j logaccept-1
- inet/filter/INPUT -j logaccept-1
- inet/filter/OUTPUT -j logaccept-1
- inet/filter/logaccept-1 -j LOG
- inet/filter/logaccept-1 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-1
- inet6/filter/INPUT -j logaccept-1
- inet6/filter/OUTPUT -j logaccept-1
- inet6/filter/logaccept-1 -j LOG
- inet6/filter/logaccept-1 -j TEE --gateway fc00::1
- inet6/filter/logaccept-1 -j ACCEPT
-
-Filter 11 {"action":"drop","log":"dual"}
-(log)
- inet/filter/FORWARD -j logdrop-2
- inet/filter/INPUT -j logdrop-2
- inet/filter/OUTPUT -j logdrop-2
- inet/filter/logdrop-2 -j LOG
- inet/filter/logdrop-2 -j DROP
- inet6/filter/FORWARD -j logdrop-2
- inet6/filter/INPUT -j logdrop-2
- inet6/filter/OUTPUT -j logdrop-2
- inet6/filter/logdrop-2 -j LOG
- inet6/filter/logdrop-2 -j TEE --gateway fc00::1
- inet6/filter/logdrop-2 -j DROP
-
-Filter 12 {"action":"pass","log":"dual"}
-(log)
- inet/filter/FORWARD -j logpass-1
- inet/filter/INPUT -j logpass-1
- inet/filter/OUTPUT -j logpass-1
- inet/filter/logpass-1 -j LOG
- inet6/filter/FORWARD -j logpass-1
- inet6/filter/INPUT -j logpass-1
- inet6/filter/OUTPUT -j logpass-1
- inet6/filter/logpass-1 -j LOG
- inet6/filter/logpass-1 -j TEE --gateway fc00::1
-
-Filter 13 {"log":"mirror"}
-(log)
- inet/filter/FORWARD -j logaccept-2
- inet/filter/INPUT -j logaccept-2
- inet/filter/OUTPUT -j logaccept-2
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2
- inet/filter/logaccept-2 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-2
- inet6/filter/INPUT -j logaccept-2
- inet6/filter/OUTPUT -j logaccept-2
- inet6/filter/logaccept-2 -j TEE --gateway fc00::2
- inet6/filter/logaccept-2 -j ACCEPT
-
-Filter 14 {"action":"drop","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logdrop-3
- inet/filter/INPUT -j logdrop-3
- inet/filter/OUTPUT -j logdrop-3
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2
- inet/filter/logdrop-3 -j DROP
- inet6/filter/FORWARD -j logdrop-3
- inet6/filter/INPUT -j logdrop-3
- inet6/filter/OUTPUT -j logdrop-3
- inet6/filter/logdrop-3 -j TEE --gateway fc00::2
- inet6/filter/logdrop-3 -j DROP
-
-Filter 15 {"action":"pass","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logpass-2
- inet/filter/INPUT -j logpass-2
- inet/filter/OUTPUT -j logpass-2
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.1
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.2
- inet6/filter/FORWARD -j logpass-2
- inet6/filter/INPUT -j logpass-2
- inet6/filter/OUTPUT -j logpass-2
- inet6/filter/logpass-2 -j TEE --gateway fc00::2
-
-Filter 16 {"log":"none"}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 17 {"action":"drop","log":"none"}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 18 {"action":"pass","log":"none"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 19 {"log":"ulog"}
-(log)
- inet/filter/FORWARD -j logaccept-3
- inet/filter/INPUT -j logaccept-3
- inet/filter/OUTPUT -j logaccept-3
- inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG
- inet/filter/logaccept-3 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-3
- inet6/filter/INPUT -j logaccept-3
- inet6/filter/OUTPUT -j logaccept-3
- inet6/filter/logaccept-3 -j ACCEPT
-
-Filter 20 {"action":"drop","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logdrop-4
- inet/filter/INPUT -j logdrop-4
- inet/filter/OUTPUT -j logdrop-4
- inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG
- inet/filter/logdrop-4 -j DROP
- inet6/filter/FORWARD -j logdrop-4
- inet6/filter/INPUT -j logdrop-4
- inet6/filter/OUTPUT -j logdrop-4
- inet6/filter/logdrop-4 -j DROP
-
-Filter 21 {"action":"pass","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logpass-3
- inet/filter/INPUT -j logpass-3
- inet/filter/OUTPUT -j logpass-3
- inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG
-
-Filter 22 {"action":"pass","in":"_fw","log":"ulog"}
-(log)
- inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-
-Filter 23 {"in":["_fw","A"]}
-(zone)
- inet/filter/FORWARD -i eth0 -j ACCEPT
- inet/filter/INPUT -i eth0 -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -i eth0 -j ACCEPT
- inet6/filter/INPUT -i eth0 -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 24 {"in":"B","out":"C"}
-(zone)
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+Filter 1 {"action":"pass","in":"_fw","log":"ulog"}
+(log)
+ inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-Filter 25 {"out":["_fw","B"]}
-(zone)
- inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-
-Filter 26 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
-(zone)
- inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+Filter 2 {"in":["_fw","A"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -j ACCEPT
+ inet/filter/INPUT -i eth0 -j ACCEPT
+ inet/filter/OUTPUT -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -j ACCEPT
+ inet6/filter/INPUT -i eth0 -j ACCEPT
+ inet6/filter/OUTPUT -j ACCEPT
+
+Filter 3 {"in":"B","out":"C"}
+(zone)
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+
+Filter 4 {"out":["_fw","B"]}
+(zone)
+ inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/INPUT -j ACCEPT
+ inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/INPUT -j ACCEPT
+ inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+
+Filter 5 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
Ipset awall-masquerade {"family":"inet","type":"hash:net"}
@@ -693,41 +460,7 @@ hash:net family inet
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -785,53 +518,11 @@ hash:net family inet
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -839,31 +530,6 @@ hash:net family inet
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
@@ -914,39 +580,7 @@ COMMIT
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -978,80 +612,18 @@ COMMIT
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/route-track/rules-save b/test/output/route-track/rules-save
index 2c3701e..bc09c55 100644
--- a/test/output/route-track/rules-save
+++ b/test/output/route-track/rules-save
@@ -4,41 +4,7 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -96,53 +62,11 @@
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -150,31 +74,6 @@
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
diff --git a/test/output/route-track/rules6-save b/test/output/route-track/rules6-save
index cca38f2..e479beb 100644
--- a/test/output/route-track/rules6-save
+++ b/test/output/route-track/rules6-save
@@ -4,39 +4,7 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -68,80 +36,18 @@
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/tproxy/dump b/test/output/tproxy/dump
index dcff82d..d84b4e1 100644
--- a/test/output/tproxy/dump
+++ b/test/output/tproxy/dump
@@ -12,336 +12,103 @@ Dnat 2 {"in":"B"}
inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-Filter 1 {}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 2 {"action":"drop"}
-(log)
- inet/filter/FORWARD -j logdrop-0
- inet/filter/INPUT -j logdrop-0
- inet/filter/OUTPUT -j logdrop-0
- inet/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-0 -j DROP
- inet6/filter/FORWARD -j logdrop-0
- inet6/filter/INPUT -j logdrop-0
- inet6/filter/OUTPUT -j logdrop-0
- inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-0 -j DROP
-
-Filter 3 {"action":"pass"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 4 {"log":false}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 5 {"action":"drop","log":false}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 6 {"action":"pass","log":false}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 7 {"log":true}
-(log)
- inet/filter/FORWARD -j logaccept-0
- inet/filter/INPUT -j logaccept-0
- inet/filter/OUTPUT -j logaccept-0
- inet/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet/filter/logaccept-0 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-0
- inet6/filter/INPUT -j logaccept-0
- inet6/filter/OUTPUT -j logaccept-0
- inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG
- inet6/filter/logaccept-0 -j ACCEPT
-
-Filter 8 {"action":"drop","log":true}
-(log)
- inet/filter/FORWARD -j logdrop-1
- inet/filter/INPUT -j logdrop-1
- inet/filter/OUTPUT -j logdrop-1
- inet/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet/filter/logdrop-1 -j DROP
- inet6/filter/FORWARD -j logdrop-1
- inet6/filter/INPUT -j logdrop-1
- inet6/filter/OUTPUT -j logdrop-1
- inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG
- inet6/filter/logdrop-1 -j DROP
-
-Filter 9 {"action":"pass","log":true}
-(log)
- inet/filter/FORWARD -j logpass-0
- inet/filter/INPUT -j logpass-0
- inet/filter/OUTPUT -j logpass-0
- inet/filter/logpass-0 -m limit --limit 1/second -j LOG
- inet6/filter/FORWARD -j logpass-0
- inet6/filter/INPUT -j logpass-0
- inet6/filter/OUTPUT -j logpass-0
- inet6/filter/logpass-0 -m limit --limit 1/second -j LOG
-
-Filter 10 {"log":"dual"}
-(log)
- inet/filter/FORWARD -j logaccept-1
- inet/filter/INPUT -j logaccept-1
- inet/filter/OUTPUT -j logaccept-1
- inet/filter/logaccept-1 -j LOG
- inet/filter/logaccept-1 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-1
- inet6/filter/INPUT -j logaccept-1
- inet6/filter/OUTPUT -j logaccept-1
- inet6/filter/logaccept-1 -j LOG
- inet6/filter/logaccept-1 -j TEE --gateway fc00::1
- inet6/filter/logaccept-1 -j ACCEPT
-
-Filter 11 {"action":"drop","log":"dual"}
-(log)
- inet/filter/FORWARD -j logdrop-2
- inet/filter/INPUT -j logdrop-2
- inet/filter/OUTPUT -j logdrop-2
- inet/filter/logdrop-2 -j LOG
- inet/filter/logdrop-2 -j DROP
- inet6/filter/FORWARD -j logdrop-2
- inet6/filter/INPUT -j logdrop-2
- inet6/filter/OUTPUT -j logdrop-2
- inet6/filter/logdrop-2 -j LOG
- inet6/filter/logdrop-2 -j TEE --gateway fc00::1
- inet6/filter/logdrop-2 -j DROP
-
-Filter 12 {"action":"pass","log":"dual"}
-(log)
- inet/filter/FORWARD -j logpass-1
- inet/filter/INPUT -j logpass-1
- inet/filter/OUTPUT -j logpass-1
- inet/filter/logpass-1 -j LOG
- inet6/filter/FORWARD -j logpass-1
- inet6/filter/INPUT -j logpass-1
- inet6/filter/OUTPUT -j logpass-1
- inet6/filter/logpass-1 -j LOG
- inet6/filter/logpass-1 -j TEE --gateway fc00::1
-
-Filter 13 {"log":"mirror"}
-(log)
- inet/filter/FORWARD -j logaccept-2
- inet/filter/INPUT -j logaccept-2
- inet/filter/OUTPUT -j logaccept-2
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1
- inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2
- inet/filter/logaccept-2 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-2
- inet6/filter/INPUT -j logaccept-2
- inet6/filter/OUTPUT -j logaccept-2
- inet6/filter/logaccept-2 -j TEE --gateway fc00::2
- inet6/filter/logaccept-2 -j ACCEPT
-
-Filter 14 {"action":"drop","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logdrop-3
- inet/filter/INPUT -j logdrop-3
- inet/filter/OUTPUT -j logdrop-3
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1
- inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2
- inet/filter/logdrop-3 -j DROP
- inet6/filter/FORWARD -j logdrop-3
- inet6/filter/INPUT -j logdrop-3
- inet6/filter/OUTPUT -j logdrop-3
- inet6/filter/logdrop-3 -j TEE --gateway fc00::2
- inet6/filter/logdrop-3 -j DROP
-
-Filter 15 {"action":"pass","log":"mirror"}
-(log)
- inet/filter/FORWARD -j logpass-2
- inet/filter/INPUT -j logpass-2
- inet/filter/OUTPUT -j logpass-2
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.1
- inet/filter/logpass-2 -j TEE --gateway 10.0.0.2
- inet6/filter/FORWARD -j logpass-2
- inet6/filter/INPUT -j logpass-2
- inet6/filter/OUTPUT -j logpass-2
- inet6/filter/logpass-2 -j TEE --gateway fc00::2
-
-Filter 16 {"log":"none"}
-(log)
- inet/filter/FORWARD -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 17 {"action":"drop","log":"none"}
-(log)
- inet/filter/FORWARD -j DROP
- inet/filter/INPUT -j DROP
- inet/filter/OUTPUT -j DROP
- inet6/filter/FORWARD -j DROP
- inet6/filter/INPUT -j DROP
- inet6/filter/OUTPUT -j DROP
-
-Filter 18 {"action":"pass","log":"none"}
-(log)
- inet/filter/FORWARD
- inet/filter/INPUT
- inet/filter/OUTPUT
- inet6/filter/FORWARD
- inet6/filter/INPUT
- inet6/filter/OUTPUT
-
-Filter 19 {"log":"ulog"}
-(log)
- inet/filter/FORWARD -j logaccept-3
- inet/filter/INPUT -j logaccept-3
- inet/filter/OUTPUT -j logaccept-3
- inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG
- inet/filter/logaccept-3 -j ACCEPT
- inet6/filter/FORWARD -j logaccept-3
- inet6/filter/INPUT -j logaccept-3
- inet6/filter/OUTPUT -j logaccept-3
- inet6/filter/logaccept-3 -j ACCEPT
-
-Filter 20 {"action":"drop","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logdrop-4
- inet/filter/INPUT -j logdrop-4
- inet/filter/OUTPUT -j logdrop-4
- inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG
- inet/filter/logdrop-4 -j DROP
- inet6/filter/FORWARD -j logdrop-4
- inet6/filter/INPUT -j logdrop-4
- inet6/filter/OUTPUT -j logdrop-4
- inet6/filter/logdrop-4 -j DROP
-
-Filter 21 {"action":"pass","log":"ulog"}
-(log)
- inet/filter/FORWARD -j logpass-3
- inet/filter/INPUT -j logpass-3
- inet/filter/OUTPUT -j logpass-3
- inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG
-
-Filter 22 {"action":"pass","in":"_fw","log":"ulog"}
-(log)
- inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-
-Filter 23 {"in":["_fw","A"]}
-(zone)
- inet/filter/FORWARD -i eth0 -j ACCEPT
- inet/filter/INPUT -i eth0 -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -i eth0 -j ACCEPT
- inet6/filter/INPUT -i eth0 -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 24 {"in":"B","out":"C"}
-(zone)
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+Filter 1 {"action":"pass","in":"_fw","log":"ulog"}
+(log)
+ inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-Filter 25 {"out":["_fw","B"]}
-(zone)
- inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-
-Filter 26 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
-(zone)
- inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+Filter 2 {"in":["_fw","A"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -j ACCEPT
+ inet/filter/INPUT -i eth0 -j ACCEPT
+ inet/filter/OUTPUT -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -j ACCEPT
+ inet6/filter/INPUT -i eth0 -j ACCEPT
+ inet6/filter/OUTPUT -j ACCEPT
+
+Filter 3 {"in":"B","out":"C"}
+(zone)
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+
+Filter 4 {"out":["_fw","B"]}
+(zone)
+ inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/INPUT -j ACCEPT
+ inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/INPUT -j ACCEPT
+ inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+
+Filter 5 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
Ipset awall-masquerade {"family":"inet","type":"hash:net"}
@@ -687,41 +454,7 @@ hash:net family inet
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -779,53 +512,11 @@ hash:net family inet
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -833,31 +524,6 @@ hash:net family inet
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
@@ -907,39 +573,7 @@ COMMIT
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -971,80 +605,18 @@ COMMIT
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/tproxy/rules-save b/test/output/tproxy/rules-save
index a65f2fe..48dd2f4 100644
--- a/test/output/tproxy/rules-save
+++ b/test/output/tproxy/rules-save
@@ -4,41 +4,7 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
--A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -96,53 +62,11 @@
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
--A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
@@ -150,31 +74,6 @@
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway 10.0.0.1
--A logaccept-2 -j TEE --gateway 10.0.0.2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -m limit --limit 12/minute -j ULOG
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway 10.0.0.1
--A logdrop-3 -j TEE --gateway 10.0.0.2
--A logdrop-3 -j DROP
--A logdrop-4 -m limit --limit 12/minute -j ULOG
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-2 -j TEE --gateway 10.0.0.1
--A logpass-2 -j TEE --gateway 10.0.0.2
--A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
diff --git a/test/output/tproxy/rules6-save b/test/output/tproxy/rules6-save
index 08f7075..e53cbd2 100644
--- a/test/output/tproxy/rules6-save
+++ b/test/output/tproxy/rules6-save
@@ -4,39 +4,7 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-:logaccept-0 - [0:0]
-:logaccept-1 - [0:0]
-:logaccept-2 - [0:0]
-:logaccept-3 - [0:0]
-:logdrop-0 - [0:0]
-:logdrop-1 - [0:0]
-:logdrop-2 - [0:0]
-:logdrop-3 - [0:0]
-:logdrop-4 - [0:0]
-:logpass-0 - [0:0]
-:logpass-1 - [0:0]
-:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A FORWARD -j ACCEPT
--A FORWARD -j logdrop-0
--A FORWARD
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-0
--A FORWARD -j logdrop-1
--A FORWARD -j logpass-0
--A FORWARD -j logaccept-1
--A FORWARD -j logdrop-2
--A FORWARD -j logpass-1
--A FORWARD -j logaccept-2
--A FORWARD -j logdrop-3
--A FORWARD -j logpass-2
--A FORWARD -j ACCEPT
--A FORWARD -j DROP
--A FORWARD
--A FORWARD -j logaccept-3
--A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -68,80 +36,18 @@
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
--A INPUT -j ACCEPT
--A INPUT -j logdrop-0
--A INPUT
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-0
--A INPUT -j logdrop-1
--A INPUT -j logpass-0
--A INPUT -j logaccept-1
--A INPUT -j logdrop-2
--A INPUT -j logpass-1
--A INPUT -j logaccept-2
--A INPUT -j logdrop-3
--A INPUT -j logpass-2
--A INPUT -j ACCEPT
--A INPUT -j DROP
--A INPUT
--A INPUT -j logaccept-3
--A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
--A OUTPUT -j logdrop-0
--A OUTPUT
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-0
--A OUTPUT -j logdrop-1
--A OUTPUT -j logpass-0
--A OUTPUT -j logaccept-1
--A OUTPUT -j logdrop-2
--A OUTPUT -j logpass-1
--A OUTPUT -j logaccept-2
--A OUTPUT -j logdrop-3
--A OUTPUT -j logpass-2
--A OUTPUT -j ACCEPT
--A OUTPUT -j DROP
--A OUTPUT
--A OUTPUT -j logaccept-3
--A OUTPUT -j logdrop-4
--A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
--A logaccept-0 -m limit --limit 1/second -j LOG
--A logaccept-0 -j ACCEPT
--A logaccept-1 -j LOG
--A logaccept-1 -j TEE --gateway fc00::1
--A logaccept-1 -j ACCEPT
--A logaccept-2 -j TEE --gateway fc00::2
--A logaccept-2 -j ACCEPT
--A logaccept-3 -j ACCEPT
--A logdrop-0 -m limit --limit 1/second -j LOG
--A logdrop-0 -j DROP
--A logdrop-1 -m limit --limit 1/second -j LOG
--A logdrop-1 -j DROP
--A logdrop-2 -j LOG
--A logdrop-2 -j TEE --gateway fc00::1
--A logdrop-2 -j DROP
--A logdrop-3 -j TEE --gateway fc00::2
--A logdrop-3 -j DROP
--A logdrop-4 -j DROP
--A logpass-0 -m limit --limit 1/second -j LOG
--A logpass-1 -j LOG
--A logpass-1 -j TEE --gateway fc00::1
--A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]