diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2020-07-10 15:30:39 +0300 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2020-09-18 14:20:36 +0300 |
commit | dde0cffd637b0a615746b28d0158ad941ef116ac (patch) | |
tree | 6074cda11448807f042bf378f942ab79e9771488 | |
parent | 5e3f460995ef26578188be7ac695dd5d02afcb9c (diff) |
test: split filter-log cases
39 files changed, 2247 insertions, 7670 deletions
diff --git a/test/mandatory/log.json b/test/mandatory/log.json index d1cbb4c..b8b0578 100644 --- a/test/mandatory/log.json +++ b/test/mandatory/log.json @@ -12,29 +12,5 @@ { "out": "_fw", "log": "nflog" }, { "out": "_fw", "log": "ulog" } ], - "filter": [ - {}, - { "action": "drop" }, - { "action": "pass" }, - { "log": false }, - { "log": false, "action": "drop" }, - { "log": false, "action": "pass" }, - { "log": true }, - { "log": true, "action": "drop" }, - { "log": true, "action": "pass" }, - { "log": "dual" }, - { "log": "dual", "action": "drop" }, - { "log": "dual", "action": "pass" }, - { "log": "mirror" }, - { "log": "mirror", "action": "drop" }, - { "log": "mirror", "action": "pass" }, - { "log": "none" }, - { "log": "none", "action": "drop" }, - { "log": "none", "action": "pass" }, - - { "log": "ulog" }, - { "log": "ulog", "action": "drop" }, - { "log": "ulog", "action": "pass" }, - { "in": "_fw", "log": "ulog", "action": "pass" } - ] + "filter": [ { "in": "_fw", "log": "ulog", "action": "pass" } ] } diff --git a/test/optional/filter-log.lua b/test/optional/filter-log.lua new file mode 100644 index 0000000..b3471c7 --- /dev/null +++ b/test/optional/filter-log.lua @@ -0,0 +1,19 @@ +--[[ +Filter log test cases for Alpine Wall +Copyright (C) 2012-2020 Kaarle Ritvanen +See LICENSE file for license details +]]-- + + +json = require('cjson') + +res = {} + +for _, log in ipairs{'', false, true, 'dual', 'mirror', 'none', 'ulog'} do + for _, action in ipairs{false, 'drop', 'pass'} do + if log == '' then log = nil end + table.insert(res, {log=log, action=action or nil}) + end +end + +print(json.encode{filter=res}) diff --git a/test/output/address/dump b/test/output/address/dump index d008591..34a51c9 100644 --- a/test/output/address/dump +++ b/test/output/address/dump @@ -7734,244 +7734,11 @@ Filter 1200 {"action":"pass","dest":["172.16.0.0\/16","fc00::2 inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-473 inet/filter/address-473 -s 10.0.0.1 -d 172.16.0.0/16 -m limit --limit 12/minute -j ULOG -Filter 1201 {} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 1202 {"action":"drop"} -(log) - inet/filter/FORWARD -j logdrop-0 - inet/filter/INPUT -j logdrop-0 - inet/filter/OUTPUT -j logdrop-0 - inet/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet/filter/logdrop-0 -j DROP - inet6/filter/FORWARD -j logdrop-0 - inet6/filter/INPUT -j logdrop-0 - inet6/filter/OUTPUT -j logdrop-0 - inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-0 -j DROP - -Filter 1203 {"action":"pass"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 1204 {"log":false} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 1205 {"action":"drop","log":false} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 1206 {"action":"pass","log":false} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 1207 {"log":true} -(log) - inet/filter/FORWARD -j logaccept-267 - inet/filter/INPUT -j logaccept-267 - inet/filter/OUTPUT -j logaccept-267 - inet/filter/logaccept-267 -m limit --limit 1/second -j LOG - inet/filter/logaccept-267 -j ACCEPT - inet6/filter/FORWARD -j logaccept-267 - inet6/filter/INPUT -j logaccept-267 - inet6/filter/OUTPUT -j logaccept-267 - inet6/filter/logaccept-267 -m limit --limit 1/second -j LOG - inet6/filter/logaccept-267 -j ACCEPT - -Filter 1208 {"action":"drop","log":true} -(log) - inet/filter/FORWARD -j logdrop-1 - inet/filter/INPUT -j logdrop-1 - inet/filter/OUTPUT -j logdrop-1 - inet/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet/filter/logdrop-1 -j DROP - inet6/filter/FORWARD -j logdrop-1 - inet6/filter/INPUT -j logdrop-1 - inet6/filter/OUTPUT -j logdrop-1 - inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-1 -j DROP - -Filter 1209 {"action":"pass","log":true} -(log) - inet/filter/FORWARD -j logpass-167 - inet/filter/INPUT -j logpass-167 - inet/filter/OUTPUT -j logpass-167 - inet/filter/logpass-167 -m limit --limit 1/second -j LOG - inet6/filter/FORWARD -j logpass-167 - inet6/filter/INPUT -j logpass-167 - inet6/filter/OUTPUT -j logpass-167 - inet6/filter/logpass-167 -m limit --limit 1/second -j LOG - -Filter 1210 {"log":"dual"} -(log) - inet/filter/FORWARD -j logaccept-268 - inet/filter/INPUT -j logaccept-268 - inet/filter/OUTPUT -j logaccept-268 - inet/filter/logaccept-268 -j LOG - inet/filter/logaccept-268 -j ACCEPT - inet6/filter/FORWARD -j logaccept-268 - inet6/filter/INPUT -j logaccept-268 - inet6/filter/OUTPUT -j logaccept-268 - inet6/filter/logaccept-268 -j LOG - inet6/filter/logaccept-268 -j TEE --gateway fc00::1 - inet6/filter/logaccept-268 -j ACCEPT - -Filter 1211 {"action":"drop","log":"dual"} -(log) - inet/filter/FORWARD -j logdrop-2 - inet/filter/INPUT -j logdrop-2 - inet/filter/OUTPUT -j logdrop-2 - inet/filter/logdrop-2 -j LOG - inet/filter/logdrop-2 -j DROP - inet6/filter/FORWARD -j logdrop-2 - inet6/filter/INPUT -j logdrop-2 - inet6/filter/OUTPUT -j logdrop-2 - inet6/filter/logdrop-2 -j LOG - inet6/filter/logdrop-2 -j TEE --gateway fc00::1 - inet6/filter/logdrop-2 -j DROP - -Filter 1212 {"action":"pass","log":"dual"} -(log) - inet/filter/FORWARD -j logpass-168 - inet/filter/INPUT -j logpass-168 - inet/filter/OUTPUT -j logpass-168 - inet/filter/logpass-168 -j LOG - inet6/filter/FORWARD -j logpass-168 - inet6/filter/INPUT -j logpass-168 - inet6/filter/OUTPUT -j logpass-168 - inet6/filter/logpass-168 -j LOG - inet6/filter/logpass-168 -j TEE --gateway fc00::1 - -Filter 1213 {"log":"mirror"} -(log) - inet/filter/FORWARD -j logaccept-269 - inet/filter/INPUT -j logaccept-269 - inet/filter/OUTPUT -j logaccept-269 - inet/filter/logaccept-269 -j TEE --gateway 10.0.0.1 - inet/filter/logaccept-269 -j TEE --gateway 10.0.0.2 - inet/filter/logaccept-269 -j ACCEPT - inet6/filter/FORWARD -j logaccept-269 - inet6/filter/INPUT -j logaccept-269 - inet6/filter/OUTPUT -j logaccept-269 - inet6/filter/logaccept-269 -j TEE --gateway fc00::2 - inet6/filter/logaccept-269 -j ACCEPT - -Filter 1214 {"action":"drop","log":"mirror"} -(log) - inet/filter/FORWARD -j logdrop-3 - inet/filter/INPUT -j logdrop-3 - inet/filter/OUTPUT -j logdrop-3 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2 - inet/filter/logdrop-3 -j DROP - inet6/filter/FORWARD -j logdrop-3 - inet6/filter/INPUT -j logdrop-3 - inet6/filter/OUTPUT -j logdrop-3 - inet6/filter/logdrop-3 -j TEE --gateway fc00::2 - inet6/filter/logdrop-3 -j DROP - -Filter 1215 {"action":"pass","log":"mirror"} -(log) - inet/filter/FORWARD -j logpass-169 - inet/filter/INPUT -j logpass-169 - inet/filter/OUTPUT -j logpass-169 - inet/filter/logpass-169 -j TEE --gateway 10.0.0.1 - inet/filter/logpass-169 -j TEE --gateway 10.0.0.2 - inet6/filter/FORWARD -j logpass-169 - inet6/filter/INPUT -j logpass-169 - inet6/filter/OUTPUT -j logpass-169 - inet6/filter/logpass-169 -j TEE --gateway fc00::2 - -Filter 1216 {"log":"none"} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 1217 {"action":"drop","log":"none"} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 1218 {"action":"pass","log":"none"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 1219 {"log":"ulog"} -(log) - inet/filter/FORWARD -j logaccept-270 - inet/filter/INPUT -j logaccept-270 - inet/filter/OUTPUT -j logaccept-270 - inet/filter/logaccept-270 -m limit --limit 12/minute -j ULOG - inet/filter/logaccept-270 -j ACCEPT - inet6/filter/FORWARD -j logaccept-270 - inet6/filter/INPUT -j logaccept-270 - inet6/filter/OUTPUT -j logaccept-270 - inet6/filter/logaccept-270 -j ACCEPT - -Filter 1220 {"action":"drop","log":"ulog"} -(log) - inet/filter/FORWARD -j logdrop-4 - inet/filter/INPUT -j logdrop-4 - inet/filter/OUTPUT -j logdrop-4 - inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG - inet/filter/logdrop-4 -j DROP - inet6/filter/FORWARD -j logdrop-4 - inet6/filter/INPUT -j logdrop-4 - inet6/filter/OUTPUT -j logdrop-4 - inet6/filter/logdrop-4 -j DROP - -Filter 1221 {"action":"pass","log":"ulog"} -(log) - inet/filter/FORWARD -j logpass-170 - inet/filter/INPUT -j logpass-170 - inet/filter/OUTPUT -j logpass-170 - inet/filter/logpass-170 -m limit --limit 12/minute -j ULOG - -Filter 1222 {"action":"pass","in":"_fw","log":"ulog"} +Filter 1201 {"action":"pass","in":"_fw","log":"ulog"} (log) inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG -Filter 1223 {"in":["_fw","A"]} +Filter 1202 {"in":["_fw","A"]} (zone) inet/filter/FORWARD -i eth0 -j ACCEPT inet/filter/INPUT -i eth0 -j ACCEPT @@ -7980,12 +7747,12 @@ Filter 1223 {"in":["_fw","A"]} inet6/filter/INPUT -i eth0 -j ACCEPT inet6/filter/OUTPUT -j ACCEPT -Filter 1224 {"in":"B","out":"C"} +Filter 1203 {"in":"B","out":"C"} (zone) inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT -Filter 1225 {"out":["_fw","B"]} +Filter 1204 {"out":["_fw","B"]} (zone) inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT inet/filter/INPUT -j ACCEPT @@ -7994,7 +7761,7 @@ Filter 1225 {"out":["_fw","B"]} inet6/filter/INPUT -j ACCEPT inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -Filter 1226 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +Filter 1205 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} (zone) inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT @@ -8942,10 +8709,6 @@ hash:net family inet :logaccept-264 - [0:0] :logaccept-265 - [0:0] :logaccept-266 - [0:0] -:logaccept-267 - [0:0] -:logaccept-268 - [0:0] -:logaccept-269 - [0:0] -:logaccept-270 - [0:0] :logaccept-3 - [0:0] :logaccept-32 - [0:0] :logaccept-33 - [0:0] @@ -9009,11 +8772,6 @@ hash:net family inet :logaccept-97 - [0:0] :logaccept-98 - [0:0] :logaccept-99 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] :logpass-0 - [0:0] :logpass-1 - [0:0] :logpass-10 - [0:0] @@ -9088,11 +8846,7 @@ hash:net family inet :logpass-164 - [0:0] :logpass-165 - [0:0] :logpass-166 - [0:0] -:logpass-167 - [0:0] -:logpass-168 - [0:0] -:logpass-169 - [0:0] :logpass-17 - [0:0] -:logpass-170 - [0:0] :logpass-18 - [0:0] :logpass-19 - [0:0] :logpass-2 - [0:0] @@ -10277,27 +10031,6 @@ hash:net family inet -A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-472 -A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-473 -A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-473 --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-267 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-167 --A FORWARD -j logaccept-268 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-168 --A FORWARD -j logaccept-269 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-169 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-270 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-170 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -11063,27 +10796,6 @@ hash:net family inet -A INPUT -i eth1 -s 10.0.0.0/12 -j address-383 -A INPUT -i eth2 -s 10.1.0.0/12 -j address-383 -A INPUT -i eth3 -s 10.1.0.0/12 -j address-383 --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-267 --A INPUT -j logdrop-1 --A INPUT -j logpass-167 --A INPUT -j logaccept-268 --A INPUT -j logdrop-2 --A INPUT -j logpass-168 --A INPUT -j logaccept-269 --A INPUT -j logdrop-3 --A INPUT -j logpass-169 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-270 --A INPUT -j logdrop-4 --A INPUT -j logpass-170 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing @@ -11341,27 +11053,6 @@ hash:net family inet -A OUTPUT -o eth1 -d 10.0.0.0/12 -j address-93 -A OUTPUT -o eth1 -d 10.0.0.0/12 -j address-94 -A OUTPUT -o eth1 -d 10.0.0.0/12 -j address-95 --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-267 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-167 --A OUTPUT -j logaccept-268 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-168 --A OUTPUT -j logaccept-269 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-169 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-270 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-170 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -12315,15 +12006,6 @@ hash:net family inet -A logaccept-265 -j ACCEPT -A logaccept-266 -m limit --limit 12/minute -j ULOG -A logaccept-266 -j ACCEPT --A logaccept-267 -m limit --limit 1/second -j LOG --A logaccept-267 -j ACCEPT --A logaccept-268 -j LOG --A logaccept-268 -j ACCEPT --A logaccept-269 -j TEE --gateway 10.0.0.1 --A logaccept-269 -j TEE --gateway 10.0.0.2 --A logaccept-269 -j ACCEPT --A logaccept-270 -m limit --limit 12/minute -j ULOG --A logaccept-270 -j ACCEPT -A logaccept-3 -m limit --limit 12/minute -j ULOG -A logaccept-3 -j ACCEPT -A logaccept-32 -m limit --limit 1/second -j LOG @@ -12450,17 +12132,6 @@ hash:net family inet -A logaccept-98 -j ACCEPT -A logaccept-99 -m limit --limit 12/minute -j ULOG -A logaccept-99 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP -A logpass-0 -m limit --limit 1/second -j LOG -A logpass-1 -m limit --limit 12/minute -j ULOG -A logpass-10 -m limit --limit 12/minute -j ULOG @@ -12535,12 +12206,7 @@ hash:net family inet -A logpass-164 -m limit --limit 12/minute -j ULOG -A logpass-165 -m limit --limit 1/second -j LOG -A logpass-166 -m limit --limit 12/minute -j ULOG --A logpass-167 -m limit --limit 1/second -j LOG --A logpass-168 -j LOG --A logpass-169 -j TEE --gateway 10.0.0.1 --A logpass-169 -j TEE --gateway 10.0.0.2 -A logpass-17 -m limit --limit 1/second -j LOG --A logpass-170 -m limit --limit 12/minute -j ULOG -A logpass-18 -m limit --limit 12/minute -j ULOG -A logpass-19 -m limit --limit 1/second -j LOG -A logpass-2 -m limit --limit 1/second -j LOG @@ -12840,11 +12506,7 @@ COMMIT :logaccept-233 - [0:0] :logaccept-234 - [0:0] :logaccept-26 - [0:0] -:logaccept-267 - [0:0] -:logaccept-268 - [0:0] -:logaccept-269 - [0:0] :logaccept-27 - [0:0] -:logaccept-270 - [0:0] :logaccept-28 - [0:0] :logaccept-29 - [0:0] :logaccept-30 - [0:0] @@ -12879,11 +12541,6 @@ COMMIT :logaccept-88 - [0:0] :logaccept-89 - [0:0] :logaccept-9 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] :logpass-0 - [0:0] :logpass-109 - [0:0] :logpass-115 - [0:0] @@ -12891,9 +12548,6 @@ COMMIT :logpass-130 - [0:0] :logpass-136 - [0:0] :logpass-137 - [0:0] -:logpass-167 - [0:0] -:logpass-168 - [0:0] -:logpass-169 - [0:0] :logpass-25 - [0:0] :logpass-26 - [0:0] :logpass-27 - [0:0] @@ -13185,26 +12839,6 @@ COMMIT -A FORWARD -i eth1 -s fc00::/7 -j address-380 -A FORWARD -i eth1 -s fc00::/7 -j address-381 -A FORWARD -i eth1 -s fc00::/7 -j address-382 --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-267 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-167 --A FORWARD -j logaccept-268 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-168 --A FORWARD -j logaccept-269 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-169 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-270 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -13416,26 +13050,6 @@ COMMIT -A INPUT -i eth1 -s fc00::/7 -j address-380 -A INPUT -i eth1 -s fc00::/7 -j address-381 -A INPUT -i eth1 -s fc00::/7 -j address-382 --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-267 --A INPUT -j logdrop-1 --A INPUT -j logpass-167 --A INPUT -j logaccept-268 --A INPUT -j logdrop-2 --A INPUT -j logpass-168 --A INPUT -j logaccept-269 --A INPUT -j logdrop-3 --A INPUT -j logpass-169 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-270 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT @@ -13532,26 +13146,6 @@ COMMIT -A OUTPUT -o eth1 -d fc00::/7 -j address-93 -A OUTPUT -o eth1 -d fc00::/7 -j address-94 -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-267 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-167 --A OUTPUT -j logaccept-268 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-168 --A OUTPUT -j logaccept-269 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-169 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-270 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A address-108 -d fc00::2 -j ACCEPT @@ -13769,15 +13363,7 @@ COMMIT -A logaccept-234 -j ACCEPT -A logaccept-26 -m limit --limit 1/second -j LOG -A logaccept-26 -j ACCEPT --A logaccept-267 -m limit --limit 1/second -j LOG --A logaccept-267 -j ACCEPT --A logaccept-268 -j LOG --A logaccept-268 -j TEE --gateway fc00::1 --A logaccept-268 -j ACCEPT --A logaccept-269 -j TEE --gateway fc00::2 --A logaccept-269 -j ACCEPT -A logaccept-27 -j ACCEPT --A logaccept-270 -j ACCEPT -A logaccept-28 -m limit --limit 1/second -j LOG -A logaccept-28 -j ACCEPT -A logaccept-29 -j ACCEPT @@ -13831,16 +13417,6 @@ COMMIT -A logaccept-88 -j ACCEPT -A logaccept-89 -j ACCEPT -A logaccept-9 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP -A logpass-0 -m limit --limit 1/second -j LOG -A logpass-109 -m limit --limit 1/second -j LOG -A logpass-115 -m limit --limit 1/second -j LOG @@ -13848,10 +13424,6 @@ COMMIT -A logpass-130 -m limit --limit 1/second -j LOG -A logpass-136 -m limit --limit 1/second -j LOG -A logpass-137 -m limit --limit 1/second -j LOG --A logpass-167 -m limit --limit 1/second -j LOG --A logpass-168 -j LOG --A logpass-168 -j TEE --gateway fc00::1 --A logpass-169 -j TEE --gateway fc00::2 -A logpass-25 -m limit --limit 1/second -j LOG -A logpass-26 -m limit --limit 1/second -j LOG -A logpass-27 -m limit --limit 1/second -j LOG diff --git a/test/output/address/rules-save b/test/output/address/rules-save index d591002..4639029 100644 --- a/test/output/address/rules-save +++ b/test/output/address/rules-save @@ -543,10 +543,6 @@ :logaccept-264 - [0:0] :logaccept-265 - [0:0] :logaccept-266 - [0:0] -:logaccept-267 - [0:0] -:logaccept-268 - [0:0] -:logaccept-269 - [0:0] -:logaccept-270 - [0:0] :logaccept-3 - [0:0] :logaccept-32 - [0:0] :logaccept-33 - [0:0] @@ -610,11 +606,6 @@ :logaccept-97 - [0:0] :logaccept-98 - [0:0] :logaccept-99 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] :logpass-0 - [0:0] :logpass-1 - [0:0] :logpass-10 - [0:0] @@ -689,11 +680,7 @@ :logpass-164 - [0:0] :logpass-165 - [0:0] :logpass-166 - [0:0] -:logpass-167 - [0:0] -:logpass-168 - [0:0] -:logpass-169 - [0:0] :logpass-17 - [0:0] -:logpass-170 - [0:0] :logpass-18 - [0:0] :logpass-19 - [0:0] :logpass-2 - [0:0] @@ -1878,27 +1865,6 @@ -A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-472 -A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-473 -A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j address-473 --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-267 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-167 --A FORWARD -j logaccept-268 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-168 --A FORWARD -j logaccept-269 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-169 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-270 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-170 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -2664,27 +2630,6 @@ -A INPUT -i eth1 -s 10.0.0.0/12 -j address-383 -A INPUT -i eth2 -s 10.1.0.0/12 -j address-383 -A INPUT -i eth3 -s 10.1.0.0/12 -j address-383 --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-267 --A INPUT -j logdrop-1 --A INPUT -j logpass-167 --A INPUT -j logaccept-268 --A INPUT -j logdrop-2 --A INPUT -j logpass-168 --A INPUT -j logaccept-269 --A INPUT -j logdrop-3 --A INPUT -j logpass-169 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-270 --A INPUT -j logdrop-4 --A INPUT -j logpass-170 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing @@ -2942,27 +2887,6 @@ -A OUTPUT -o eth1 -d 10.0.0.0/12 -j address-93 -A OUTPUT -o eth1 -d 10.0.0.0/12 -j address-94 -A OUTPUT -o eth1 -d 10.0.0.0/12 -j address-95 --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-267 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-167 --A OUTPUT -j logaccept-268 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-168 --A OUTPUT -j logaccept-269 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-169 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-270 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-170 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -3916,15 +3840,6 @@ -A logaccept-265 -j ACCEPT -A logaccept-266 -m limit --limit 12/minute -j ULOG -A logaccept-266 -j ACCEPT --A logaccept-267 -m limit --limit 1/second -j LOG --A logaccept-267 -j ACCEPT --A logaccept-268 -j LOG --A logaccept-268 -j ACCEPT --A logaccept-269 -j TEE --gateway 10.0.0.1 --A logaccept-269 -j TEE --gateway 10.0.0.2 --A logaccept-269 -j ACCEPT --A logaccept-270 -m limit --limit 12/minute -j ULOG --A logaccept-270 -j ACCEPT -A logaccept-3 -m limit --limit 12/minute -j ULOG -A logaccept-3 -j ACCEPT -A logaccept-32 -m limit --limit 1/second -j LOG @@ -4051,17 +3966,6 @@ -A logaccept-98 -j ACCEPT -A logaccept-99 -m limit --limit 12/minute -j ULOG -A logaccept-99 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP -A logpass-0 -m limit --limit 1/second -j LOG -A logpass-1 -m limit --limit 12/minute -j ULOG -A logpass-10 -m limit --limit 12/minute -j ULOG @@ -4136,12 +4040,7 @@ -A logpass-164 -m limit --limit 12/minute -j ULOG -A logpass-165 -m limit --limit 1/second -j LOG -A logpass-166 -m limit --limit 12/minute -j ULOG --A logpass-167 -m limit --limit 1/second -j LOG --A logpass-168 -j LOG --A logpass-169 -j TEE --gateway 10.0.0.1 --A logpass-169 -j TEE --gateway 10.0.0.2 -A logpass-17 -m limit --limit 1/second -j LOG --A logpass-170 -m limit --limit 12/minute -j ULOG -A logpass-18 -m limit --limit 12/minute -j ULOG -A logpass-19 -m limit --limit 1/second -j LOG -A logpass-2 -m limit --limit 1/second -j LOG diff --git a/test/output/address/rules6-save b/test/output/address/rules6-save index 47efb3c..4150949 100644 --- a/test/output/address/rules6-save +++ b/test/output/address/rules6-save @@ -180,11 +180,7 @@ :logaccept-233 - [0:0] :logaccept-234 - [0:0] :logaccept-26 - [0:0] -:logaccept-267 - [0:0] -:logaccept-268 - [0:0] -:logaccept-269 - [0:0] :logaccept-27 - [0:0] -:logaccept-270 - [0:0] :logaccept-28 - [0:0] :logaccept-29 - [0:0] :logaccept-30 - [0:0] @@ -219,11 +215,6 @@ :logaccept-88 - [0:0] :logaccept-89 - [0:0] :logaccept-9 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] :logpass-0 - [0:0] :logpass-109 - [0:0] :logpass-115 - [0:0] @@ -231,9 +222,6 @@ :logpass-130 - [0:0] :logpass-136 - [0:0] :logpass-137 - [0:0] -:logpass-167 - [0:0] -:logpass-168 - [0:0] -:logpass-169 - [0:0] :logpass-25 - [0:0] :logpass-26 - [0:0] :logpass-27 - [0:0] @@ -525,26 +513,6 @@ -A FORWARD -i eth1 -s fc00::/7 -j address-380 -A FORWARD -i eth1 -s fc00::/7 -j address-381 -A FORWARD -i eth1 -s fc00::/7 -j address-382 --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-267 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-167 --A FORWARD -j logaccept-268 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-168 --A FORWARD -j logaccept-269 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-169 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-270 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -756,26 +724,6 @@ -A INPUT -i eth1 -s fc00::/7 -j address-380 -A INPUT -i eth1 -s fc00::/7 -j address-381 -A INPUT -i eth1 -s fc00::/7 -j address-382 --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-267 --A INPUT -j logdrop-1 --A INPUT -j logpass-167 --A INPUT -j logaccept-268 --A INPUT -j logdrop-2 --A INPUT -j logpass-168 --A INPUT -j logaccept-269 --A INPUT -j logdrop-3 --A INPUT -j logpass-169 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-270 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT @@ -872,26 +820,6 @@ -A OUTPUT -o eth1 -d fc00::/7 -j address-93 -A OUTPUT -o eth1 -d fc00::/7 -j address-94 -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-267 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-167 --A OUTPUT -j logaccept-268 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-168 --A OUTPUT -j logaccept-269 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-169 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-270 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A address-108 -d fc00::2 -j ACCEPT @@ -1109,15 +1037,7 @@ -A logaccept-234 -j ACCEPT -A logaccept-26 -m limit --limit 1/second -j LOG -A logaccept-26 -j ACCEPT --A logaccept-267 -m limit --limit 1/second -j LOG --A logaccept-267 -j ACCEPT --A logaccept-268 -j LOG --A logaccept-268 -j TEE --gateway fc00::1 --A logaccept-268 -j ACCEPT --A logaccept-269 -j TEE --gateway fc00::2 --A logaccept-269 -j ACCEPT -A logaccept-27 -j ACCEPT --A logaccept-270 -j ACCEPT -A logaccept-28 -m limit --limit 1/second -j LOG -A logaccept-28 -j ACCEPT -A logaccept-29 -j ACCEPT @@ -1171,16 +1091,6 @@ -A logaccept-88 -j ACCEPT -A logaccept-89 -j ACCEPT -A logaccept-9 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP -A logpass-0 -m limit --limit 1/second -j LOG -A logpass-109 -m limit --limit 1/second -j LOG -A logpass-115 -m limit --limit 1/second -j LOG @@ -1188,10 +1098,6 @@ -A logpass-130 -m limit --limit 1/second -j LOG -A logpass-136 -m limit --limit 1/second -j LOG -A logpass-137 -m limit --limit 1/second -j LOG --A logpass-167 -m limit --limit 1/second -j LOG --A logpass-168 -j LOG --A logpass-168 -j TEE --gateway fc00::1 --A logpass-169 -j TEE --gateway fc00::2 -A logpass-25 -m limit --limit 1/second -j LOG -A logpass-26 -m limit --limit 1/second -j LOG -A logpass-27 -m limit --limit 1/second -j LOG diff --git a/test/output/custom/dump b/test/output/custom/dump index 998dcce..67c6316 100644 --- a/test/output/custom/dump +++ b/test/output/custom/dump @@ -17,350 +17,117 @@ Dnat 3 {"in":"B"} inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT -Filter 1 {"match":"-m owner --uid-owner 0","out":"A"} -(custom) - inet/filter/FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT - inet/filter/OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT - inet6/filter/FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT - inet6/filter/OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT - -Filter 2 {"action":"custom:foo","in":"B"} -(custom) - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -j custom:foo - inet/filter/INPUT -i eth1 -s 10.0.0.0/12 -j custom:foo - inet6/filter/FORWARD -i eth1 -s fc00::/7 -j custom:foo - inet6/filter/INPUT -i eth1 -s fc00::/7 -j custom:foo - -Filter 3 {} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 4 {"action":"drop"} -(log) - inet/filter/FORWARD -j logdrop-0 - inet/filter/INPUT -j logdrop-0 - inet/filter/OUTPUT -j logdrop-0 - inet/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet/filter/logdrop-0 -j DROP - inet6/filter/FORWARD -j logdrop-0 - inet6/filter/INPUT -j logdrop-0 - inet6/filter/OUTPUT -j logdrop-0 - inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-0 -j DROP - -Filter 5 {"action":"pass"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 6 {"log":false} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 7 {"action":"drop","log":false} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 8 {"action":"pass","log":false} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 9 {"log":true} -(log) - inet/filter/FORWARD -j logaccept-0 - inet/filter/INPUT -j logaccept-0 - inet/filter/OUTPUT -j logaccept-0 - inet/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet/filter/logaccept-0 -j ACCEPT - inet6/filter/FORWARD -j logaccept-0 - inet6/filter/INPUT -j logaccept-0 - inet6/filter/OUTPUT -j logaccept-0 - inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet6/filter/logaccept-0 -j ACCEPT - -Filter 10 {"action":"drop","log":true} -(log) - inet/filter/FORWARD -j logdrop-1 - inet/filter/INPUT -j logdrop-1 - inet/filter/OUTPUT -j logdrop-1 - inet/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet/filter/logdrop-1 -j DROP - inet6/filter/FORWARD -j logdrop-1 - inet6/filter/INPUT -j logdrop-1 - inet6/filter/OUTPUT -j logdrop-1 - inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-1 -j DROP - -Filter 11 {"action":"pass","log":true} -(log) - inet/filter/FORWARD -j logpass-0 - inet/filter/INPUT -j logpass-0 - inet/filter/OUTPUT -j logpass-0 - inet/filter/logpass-0 -m limit --limit 1/second -j LOG - inet6/filter/FORWARD -j logpass-0 - inet6/filter/INPUT -j logpass-0 - inet6/filter/OUTPUT -j logpass-0 - inet6/filter/logpass-0 -m limit --limit 1/second -j LOG - -Filter 12 {"log":"dual"} -(log) - inet/filter/FORWARD -j logaccept-1 - inet/filter/INPUT -j logaccept-1 - inet/filter/OUTPUT -j logaccept-1 - inet/filter/logaccept-1 -j LOG - inet/filter/logaccept-1 -j ACCEPT - inet6/filter/FORWARD -j logaccept-1 - inet6/filter/INPUT -j logaccept-1 - inet6/filter/OUTPUT -j logaccept-1 - inet6/filter/logaccept-1 -j LOG - inet6/filter/logaccept-1 -j TEE --gateway fc00::1 - inet6/filter/logaccept-1 -j ACCEPT - -Filter 13 {"action":"drop","log":"dual"} -(log) - inet/filter/FORWARD -j logdrop-2 - inet/filter/INPUT -j logdrop-2 - inet/filter/OUTPUT -j logdrop-2 - inet/filter/logdrop-2 -j LOG - inet/filter/logdrop-2 -j DROP - inet6/filter/FORWARD -j logdrop-2 - inet6/filter/INPUT -j logdrop-2 - inet6/filter/OUTPUT -j logdrop-2 - inet6/filter/logdrop-2 -j LOG - inet6/filter/logdrop-2 -j TEE --gateway fc00::1 - inet6/filter/logdrop-2 -j DROP - -Filter 14 {"action":"pass","log":"dual"} -(log) - inet/filter/FORWARD -j logpass-1 - inet/filter/INPUT -j logpass-1 - inet/filter/OUTPUT -j logpass-1 - inet/filter/logpass-1 -j LOG - inet6/filter/FORWARD -j logpass-1 - inet6/filter/INPUT -j logpass-1 - inet6/filter/OUTPUT -j logpass-1 - inet6/filter/logpass-1 -j LOG - inet6/filter/logpass-1 -j TEE --gateway fc00::1 - -Filter 15 {"log":"mirror"} -(log) - inet/filter/FORWARD -j logaccept-2 - inet/filter/INPUT -j logaccept-2 - inet/filter/OUTPUT -j logaccept-2 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2 - inet/filter/logaccept-2 -j ACCEPT - inet6/filter/FORWARD -j logaccept-2 - inet6/filter/INPUT -j logaccept-2 - inet6/filter/OUTPUT -j logaccept-2 - inet6/filter/logaccept-2 -j TEE --gateway fc00::2 - inet6/filter/logaccept-2 -j ACCEPT - -Filter 16 {"action":"drop","log":"mirror"} -(log) - inet/filter/FORWARD -j logdrop-3 - inet/filter/INPUT -j logdrop-3 - inet/filter/OUTPUT -j logdrop-3 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2 - inet/filter/logdrop-3 -j DROP - inet6/filter/FORWARD -j logdrop-3 - inet6/filter/INPUT -j logdrop-3 - inet6/filter/OUTPUT -j logdrop-3 - inet6/filter/logdrop-3 -j TEE --gateway fc00::2 - inet6/filter/logdrop-3 -j DROP - -Filter 17 {"action":"pass","log":"mirror"} -(log) - inet/filter/FORWARD -j logpass-2 - inet/filter/INPUT -j logpass-2 - inet/filter/OUTPUT -j logpass-2 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.1 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.2 - inet6/filter/FORWARD -j logpass-2 - inet6/filter/INPUT -j logpass-2 - inet6/filter/OUTPUT -j logpass-2 - inet6/filter/logpass-2 -j TEE --gateway fc00::2 - -Filter 18 {"log":"none"} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 19 {"action":"drop","log":"none"} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 20 {"action":"pass","log":"none"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 21 {"log":"ulog"} -(log) - inet/filter/FORWARD -j logaccept-3 - inet/filter/INPUT -j logaccept-3 - inet/filter/OUTPUT -j logaccept-3 - inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG - inet/filter/logaccept-3 -j ACCEPT - inet6/filter/FORWARD -j logaccept-3 - inet6/filter/INPUT -j logaccept-3 - inet6/filter/OUTPUT -j logaccept-3 - inet6/filter/logaccept-3 -j ACCEPT - -Filter 22 {"action":"drop","log":"ulog"} -(log) - inet/filter/FORWARD -j logdrop-4 - inet/filter/INPUT -j logdrop-4 - inet/filter/OUTPUT -j logdrop-4 - inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG - inet/filter/logdrop-4 -j DROP - inet6/filter/FORWARD -j logdrop-4 - inet6/filter/INPUT -j logdrop-4 - inet6/filter/OUTPUT -j logdrop-4 - inet6/filter/logdrop-4 -j DROP - -Filter 23 {"action":"pass","log":"ulog"} -(log) - inet/filter/FORWARD -j logpass-3 - inet/filter/INPUT -j logpass-3 - inet/filter/OUTPUT -j logpass-3 - inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG - -Filter 24 {"action":"pass","in":"_fw","log":"ulog"} -(log) - inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG - -Filter 25 {"in":["_fw","A"]} -(zone) - inet/filter/FORWARD -i eth0 -j ACCEPT - inet/filter/INPUT -i eth0 -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -i eth0 -j ACCEPT - inet6/filter/INPUT -i eth0 -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 26 {"in":"B","out":"C"} -(zone) - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +Filter 1 {"match":"-m owner --uid-owner 0","out":"A"} +(custom) + inet/filter/FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT + inet/filter/OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT + inet6/filter/FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT + inet6/filter/OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT + +Filter 2 {"action":"custom:foo","in":"B"} +(custom) + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -j custom:foo + inet/filter/INPUT -i eth1 -s 10.0.0.0/12 -j custom:foo + inet6/filter/FORWARD -i eth1 -s fc00::/7 -j custom:foo + inet6/filter/INPUT -i eth1 -s fc00::/7 -j custom:foo + +Filter 3 {"action":"pass","in":"_fw","log":"ulog"} +(log) + inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG + +Filter 4 {"in":["_fw","A"]} +(zone) + inet/filter/FORWARD -i eth0 -j ACCEPT + inet/filter/INPUT -i eth0 -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/FORWARD -i eth0 -j ACCEPT + inet6/filter/INPUT -i eth0 -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 5 {"in":"B","out":"C"} +(zone) + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT -Filter 27 {"out":["_fw","B"]} -(zone) - inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT - -Filter 28 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} -(zone) - inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT +Filter 6 {"out":["_fw","B"]} +(zone) + inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT + +Filter 7 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +(zone) + inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT Ipset awall-masquerade {"family":"inet","type":"hash:net"} @@ -701,43 +468,9 @@ hash:net family inet :OUTPUT DROP [0:0] :custom:foo - [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -j custom:foo --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -796,54 +529,12 @@ hash:net family inet -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -s 10.0.0.0/12 -j custom:foo --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -852,31 +543,6 @@ hash:net family inet -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] @@ -924,41 +590,9 @@ COMMIT :OUTPUT DROP [0:0] :custom:foo - [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT -A FORWARD -i eth1 -s fc00::/7 -j custom:foo --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -991,26 +625,6 @@ COMMIT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -s fc00::/7 -j custom:foo --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT @@ -1018,26 +632,6 @@ COMMIT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A custom:foo -m hl --hl-lt 7 -j REJECT --reject-with icmpv6-no-route @@ -1046,28 +640,6 @@ COMMIT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/custom/rules-save b/test/output/custom/rules-save index 2265a93..4a84d7d 100644 --- a/test/output/custom/rules-save +++ b/test/output/custom/rules-save @@ -5,43 +5,9 @@ :OUTPUT DROP [0:0] :custom:foo - [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -j custom:foo --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -100,54 +66,12 @@ -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -s 10.0.0.0/12 -j custom:foo --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -156,31 +80,6 @@ -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] diff --git a/test/output/custom/rules6-save b/test/output/custom/rules6-save index 6069e82..b484c3f 100644 --- a/test/output/custom/rules6-save +++ b/test/output/custom/rules6-save @@ -5,41 +5,9 @@ :OUTPUT DROP [0:0] :custom:foo - [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT -A FORWARD -i eth1 -s fc00::/7 -j custom:foo --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -72,26 +40,6 @@ -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -s fc00::/7 -j custom:foo --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT @@ -99,26 +47,6 @@ -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A custom:foo -m hl --hl-lt 7 -j REJECT --reject-with icmpv6-no-route @@ -127,28 +55,6 @@ -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/dedicated/dump b/test/output/dedicated/dump index 07316b6..a58ef41 100644 --- a/test/output/dedicated/dump +++ b/test/output/dedicated/dump @@ -12,336 +12,103 @@ Dnat 2 {"in":"B"} inet/nat/awall-PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT -Filter 1 {} -(log) - inet/filter/awall-FORWARD -j ACCEPT - inet/filter/awall-INPUT -j ACCEPT - inet/filter/awall-OUTPUT -j ACCEPT - inet6/filter/awall-FORWARD -j ACCEPT - inet6/filter/awall-INPUT -j ACCEPT - inet6/filter/awall-OUTPUT -j ACCEPT - -Filter 2 {"action":"drop"} -(log) - inet/filter/awall-FORWARD -j awall-logdrop-0 - inet/filter/awall-INPUT -j awall-logdrop-0 - inet/filter/awall-OUTPUT -j awall-logdrop-0 - inet/filter/awall-logdrop-0 -m limit --limit 1/second -j LOG - inet/filter/awall-logdrop-0 -j DROP - inet6/filter/awall-FORWARD -j awall-logdrop-0 - inet6/filter/awall-INPUT -j awall-logdrop-0 - inet6/filter/awall-OUTPUT -j awall-logdrop-0 - inet6/filter/awall-logdrop-0 -m limit --limit 1/second -j LOG - inet6/filter/awall-logdrop-0 -j DROP - -Filter 3 {"action":"pass"} -(log) - inet/filter/awall-FORWARD - inet/filter/awall-INPUT - inet/filter/awall-OUTPUT - inet6/filter/awall-FORWARD - inet6/filter/awall-INPUT - inet6/filter/awall-OUTPUT - -Filter 4 {"log":false} -(log) - inet/filter/awall-FORWARD -j ACCEPT - inet/filter/awall-INPUT -j ACCEPT - inet/filter/awall-OUTPUT -j ACCEPT - inet6/filter/awall-FORWARD -j ACCEPT - inet6/filter/awall-INPUT -j ACCEPT - inet6/filter/awall-OUTPUT -j ACCEPT - -Filter 5 {"action":"drop","log":false} -(log) - inet/filter/awall-FORWARD -j DROP - inet/filter/awall-INPUT -j DROP - inet/filter/awall-OUTPUT -j DROP - inet6/filter/awall-FORWARD -j DROP - inet6/filter/awall-INPUT -j DROP - inet6/filter/awall-OUTPUT -j DROP - -Filter 6 {"action":"pass","log":false} -(log) - inet/filter/awall-FORWARD - inet/filter/awall-INPUT - inet/filter/awall-OUTPUT - inet6/filter/awall-FORWARD - inet6/filter/awall-INPUT - inet6/filter/awall-OUTPUT - -Filter 7 {"log":true} -(log) - inet/filter/awall-FORWARD -j awall-logaccept-0 - inet/filter/awall-INPUT -j awall-logaccept-0 - inet/filter/awall-OUTPUT -j awall-logaccept-0 - inet/filter/awall-logaccept-0 -m limit --limit 1/second -j LOG - inet/filter/awall-logaccept-0 -j ACCEPT - inet6/filter/awall-FORWARD -j awall-logaccept-0 - inet6/filter/awall-INPUT -j awall-logaccept-0 - inet6/filter/awall-OUTPUT -j awall-logaccept-0 - inet6/filter/awall-logaccept-0 -m limit --limit 1/second -j LOG - inet6/filter/awall-logaccept-0 -j ACCEPT - -Filter 8 {"action":"drop","log":true} -(log) - inet/filter/awall-FORWARD -j awall-logdrop-1 - inet/filter/awall-INPUT -j awall-logdrop-1 - inet/filter/awall-OUTPUT -j awall-logdrop-1 - inet/filter/awall-logdrop-1 -m limit --limit 1/second -j LOG - inet/filter/awall-logdrop-1 -j DROP - inet6/filter/awall-FORWARD -j awall-logdrop-1 - inet6/filter/awall-INPUT -j awall-logdrop-1 - inet6/filter/awall-OUTPUT -j awall-logdrop-1 - inet6/filter/awall-logdrop-1 -m limit --limit 1/second -j LOG - inet6/filter/awall-logdrop-1 -j DROP - -Filter 9 {"action":"pass","log":true} -(log) - inet/filter/awall-FORWARD -j awall-logpass-0 - inet/filter/awall-INPUT -j awall-logpass-0 - inet/filter/awall-OUTPUT -j awall-logpass-0 - inet/filter/awall-logpass-0 -m limit --limit 1/second -j LOG - inet6/filter/awall-FORWARD -j awall-logpass-0 - inet6/filter/awall-INPUT -j awall-logpass-0 - inet6/filter/awall-OUTPUT -j awall-logpass-0 - inet6/filter/awall-logpass-0 -m limit --limit 1/second -j LOG - -Filter 10 {"log":"dual"} -(log) - inet/filter/awall-FORWARD -j awall-logaccept-1 - inet/filter/awall-INPUT -j awall-logaccept-1 - inet/filter/awall-OUTPUT -j awall-logaccept-1 - inet/filter/awall-logaccept-1 -j LOG - inet/filter/awall-logaccept-1 -j ACCEPT - inet6/filter/awall-FORWARD -j awall-logaccept-1 - inet6/filter/awall-INPUT -j awall-logaccept-1 - inet6/filter/awall-OUTPUT -j awall-logaccept-1 - inet6/filter/awall-logaccept-1 -j LOG - inet6/filter/awall-logaccept-1 -j TEE --gateway fc00::1 - inet6/filter/awall-logaccept-1 -j ACCEPT - -Filter 11 {"action":"drop","log":"dual"} -(log) - inet/filter/awall-FORWARD -j awall-logdrop-2 - inet/filter/awall-INPUT -j awall-logdrop-2 - inet/filter/awall-OUTPUT -j awall-logdrop-2 - inet/filter/awall-logdrop-2 -j LOG - inet/filter/awall-logdrop-2 -j DROP - inet6/filter/awall-FORWARD -j awall-logdrop-2 - inet6/filter/awall-INPUT -j awall-logdrop-2 - inet6/filter/awall-OUTPUT -j awall-logdrop-2 - inet6/filter/awall-logdrop-2 -j LOG - inet6/filter/awall-logdrop-2 -j TEE --gateway fc00::1 - inet6/filter/awall-logdrop-2 -j DROP - -Filter 12 {"action":"pass","log":"dual"} -(log) - inet/filter/awall-FORWARD -j awall-logpass-1 - inet/filter/awall-INPUT -j awall-logpass-1 - inet/filter/awall-OUTPUT -j awall-logpass-1 - inet/filter/awall-logpass-1 -j LOG - inet6/filter/awall-FORWARD -j awall-logpass-1 - inet6/filter/awall-INPUT -j awall-logpass-1 - inet6/filter/awall-OUTPUT -j awall-logpass-1 - inet6/filter/awall-logpass-1 -j LOG - inet6/filter/awall-logpass-1 -j TEE --gateway fc00::1 - -Filter 13 {"log":"mirror"} -(log) - inet/filter/awall-FORWARD -j awall-logaccept-2 - inet/filter/awall-INPUT -j awall-logaccept-2 - inet/filter/awall-OUTPUT -j awall-logaccept-2 - inet/filter/awall-logaccept-2 -j TEE --gateway 10.0.0.1 - inet/filter/awall-logaccept-2 -j TEE --gateway 10.0.0.2 - inet/filter/awall-logaccept-2 -j ACCEPT - inet6/filter/awall-FORWARD -j awall-logaccept-2 - inet6/filter/awall-INPUT -j awall-logaccept-2 - inet6/filter/awall-OUTPUT -j awall-logaccept-2 - inet6/filter/awall-logaccept-2 -j TEE --gateway fc00::2 - inet6/filter/awall-logaccept-2 -j ACCEPT - -Filter 14 {"action":"drop","log":"mirror"} -(log) - inet/filter/awall-FORWARD -j awall-logdrop-3 - inet/filter/awall-INPUT -j awall-logdrop-3 - inet/filter/awall-OUTPUT -j awall-logdrop-3 - inet/filter/awall-logdrop-3 -j TEE --gateway 10.0.0.1 - inet/filter/awall-logdrop-3 -j TEE --gateway 10.0.0.2 - inet/filter/awall-logdrop-3 -j DROP - inet6/filter/awall-FORWARD -j awall-logdrop-3 - inet6/filter/awall-INPUT -j awall-logdrop-3 - inet6/filter/awall-OUTPUT -j awall-logdrop-3 - inet6/filter/awall-logdrop-3 -j TEE --gateway fc00::2 - inet6/filter/awall-logdrop-3 -j DROP - -Filter 15 {"action":"pass","log":"mirror"} -(log) - inet/filter/awall-FORWARD -j awall-logpass-2 - inet/filter/awall-INPUT -j awall-logpass-2 - inet/filter/awall-OUTPUT -j awall-logpass-2 - inet/filter/awall-logpass-2 -j TEE --gateway 10.0.0.1 - inet/filter/awall-logpass-2 -j TEE --gateway 10.0.0.2 - inet6/filter/awall-FORWARD -j awall-logpass-2 - inet6/filter/awall-INPUT -j awall-logpass-2 - inet6/filter/awall-OUTPUT -j awall-logpass-2 - inet6/filter/awall-logpass-2 -j TEE --gateway fc00::2 - -Filter 16 {"log":"none"} -(log) - inet/filter/awall-FORWARD -j ACCEPT - inet/filter/awall-INPUT -j ACCEPT - inet/filter/awall-OUTPUT -j ACCEPT - inet6/filter/awall-FORWARD -j ACCEPT - inet6/filter/awall-INPUT -j ACCEPT - inet6/filter/awall-OUTPUT -j ACCEPT - -Filter 17 {"action":"drop","log":"none"} -(log) - inet/filter/awall-FORWARD -j DROP - inet/filter/awall-INPUT -j DROP - inet/filter/awall-OUTPUT -j DROP - inet6/filter/awall-FORWARD -j DROP - inet6/filter/awall-INPUT -j DROP - inet6/filter/awall-OUTPUT -j DROP - -Filter 18 {"action":"pass","log":"none"} -(log) - inet/filter/awall-FORWARD - inet/filter/awall-INPUT - inet/filter/awall-OUTPUT - inet6/filter/awall-FORWARD - inet6/filter/awall-INPUT - inet6/filter/awall-OUTPUT - -Filter 19 {"log":"ulog"} -(log) - inet/filter/awall-FORWARD -j awall-logaccept-3 - inet/filter/awall-INPUT -j awall-logaccept-3 - inet/filter/awall-OUTPUT -j awall-logaccept-3 - inet/filter/awall-logaccept-3 -m limit --limit 12/minute -j ULOG - inet/filter/awall-logaccept-3 -j ACCEPT - inet6/filter/awall-FORWARD -j awall-logaccept-3 - inet6/filter/awall-INPUT -j awall-logaccept-3 - inet6/filter/awall-OUTPUT -j awall-logaccept-3 - inet6/filter/awall-logaccept-3 -j ACCEPT - -Filter 20 {"action":"drop","log":"ulog"} -(log) - inet/filter/awall-FORWARD -j awall-logdrop-4 - inet/filter/awall-INPUT -j awall-logdrop-4 - inet/filter/awall-OUTPUT -j awall-logdrop-4 - inet/filter/awall-logdrop-4 -m limit --limit 12/minute -j ULOG - inet/filter/awall-logdrop-4 -j DROP - inet6/filter/awall-FORWARD -j awall-logdrop-4 - inet6/filter/awall-INPUT -j awall-logdrop-4 - inet6/filter/awall-OUTPUT -j awall-logdrop-4 - inet6/filter/awall-logdrop-4 -j DROP - -Filter 21 {"action":"pass","log":"ulog"} -(log) - inet/filter/awall-FORWARD -j awall-logpass-3 - inet/filter/awall-INPUT -j awall-logpass-3 - inet/filter/awall-OUTPUT -j awall-logpass-3 - inet/filter/awall-logpass-3 -m limit --limit 12/minute -j ULOG - -Filter 22 {"action":"pass","in":"_fw","log":"ulog"} -(log) - inet/filter/awall-OUTPUT -m limit --limit 12/minute -j ULOG - -Filter 23 {"in":["_fw","A"]} -(zone) - inet/filter/awall-FORWARD -i eth0 -j ACCEPT - inet/filter/awall-INPUT -i eth0 -j ACCEPT - inet/filter/awall-OUTPUT -j ACCEPT - inet6/filter/awall-FORWARD -i eth0 -j ACCEPT - inet6/filter/awall-INPUT -i eth0 -j ACCEPT - inet6/filter/awall-OUTPUT -j ACCEPT - -Filter 24 {"in":"B","out":"C"} -(zone) - inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +Filter 1 {"action":"pass","in":"_fw","log":"ulog"} +(log) + inet/filter/awall-OUTPUT -m limit --limit 12/minute -j ULOG -Filter 25 {"out":["_fw","B"]} -(zone) - inet/filter/awall-FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/awall-INPUT -j ACCEPT - inet/filter/awall-OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet6/filter/awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/awall-INPUT -j ACCEPT - inet6/filter/awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT - -Filter 26 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} -(zone) - inet/filter/awall-FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth0 -o eth4 -j ACCEPT - inet/filter/awall-FORWARD -i eth0 -o eth5 -j ACCEPT - inet/filter/awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT - inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT - inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT - inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/awall-FORWARD -i eth4 -o eth0 -j ACCEPT - inet/filter/awall-FORWARD -i eth5 -o eth0 -j ACCEPT - inet/filter/awall-FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -i eth4 -o eth4 -j ACCEPT - inet/filter/awall-FORWARD -i eth4 -o eth5 -j ACCEPT - inet/filter/awall-FORWARD -i eth5 -o eth4 -j ACCEPT - inet/filter/awall-FORWARD -i eth5 -o eth5 -j ACCEPT - inet/filter/awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/awall-FORWARD -i eth0 -o eth4 -j ACCEPT - inet6/filter/awall-FORWARD -i eth0 -o eth5 -j ACCEPT - inet6/filter/awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT - inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT - inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT - inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/awall-FORWARD -i eth4 -o eth0 -j ACCEPT - inet6/filter/awall-FORWARD -i eth5 -o eth0 -j ACCEPT - inet6/filter/awall-FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/awall-FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/awall-FORWARD -i eth4 -o eth4 -j ACCEPT - inet6/filter/awall-FORWARD -i eth4 -o eth5 -j ACCEPT - inet6/filter/awall-FORWARD -i eth5 -o eth4 -j ACCEPT - inet6/filter/awall-FORWARD -i eth5 -o eth5 -j ACCEPT - inet6/filter/awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT +Filter 2 {"in":["_fw","A"]} +(zone) + inet/filter/awall-FORWARD -i eth0 -j ACCEPT + inet/filter/awall-INPUT -i eth0 -j ACCEPT + inet/filter/awall-OUTPUT -j ACCEPT + inet6/filter/awall-FORWARD -i eth0 -j ACCEPT + inet6/filter/awall-INPUT -i eth0 -j ACCEPT + inet6/filter/awall-OUTPUT -j ACCEPT + +Filter 3 {"in":"B","out":"C"} +(zone) + inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + +Filter 4 {"out":["_fw","B"]} +(zone) + inet/filter/awall-FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/awall-INPUT -j ACCEPT + inet/filter/awall-OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/awall-INPUT -j ACCEPT + inet6/filter/awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT + +Filter 5 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +(zone) + inet/filter/awall-FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth0 -o eth4 -j ACCEPT + inet/filter/awall-FORWARD -i eth0 -o eth5 -j ACCEPT + inet/filter/awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT + inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT + inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT + inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/awall-FORWARD -i eth4 -o eth0 -j ACCEPT + inet/filter/awall-FORWARD -i eth5 -o eth0 -j ACCEPT + inet/filter/awall-FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -i eth4 -o eth4 -j ACCEPT + inet/filter/awall-FORWARD -i eth4 -o eth5 -j ACCEPT + inet/filter/awall-FORWARD -i eth5 -o eth4 -j ACCEPT + inet/filter/awall-FORWARD -i eth5 -o eth5 -j ACCEPT + inet/filter/awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/awall-FORWARD -i eth0 -o eth4 -j ACCEPT + inet6/filter/awall-FORWARD -i eth0 -o eth5 -j ACCEPT + inet6/filter/awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT + inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT + inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT + inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/awall-FORWARD -i eth4 -o eth0 -j ACCEPT + inet6/filter/awall-FORWARD -i eth5 -o eth0 -j ACCEPT + inet6/filter/awall-FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/awall-FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/awall-FORWARD -i eth4 -o eth4 -j ACCEPT + inet6/filter/awall-FORWARD -i eth4 -o eth5 -j ACCEPT + inet6/filter/awall-FORWARD -i eth5 -o eth4 -j ACCEPT + inet6/filter/awall-FORWARD -i eth5 -o eth5 -j ACCEPT + inet6/filter/awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT Ipset awall-masquerade {"family":"inet","type":"hash:net"} @@ -684,44 +451,10 @@ hash:net family inet :awall-INPUT - [0:0] :awall-OUTPUT - [0:0] :awall-icmp-routing - [0:0] -:awall-logaccept-0 - [0:0] -:awall-logaccept-1 - [0:0] -:awall-logaccept-2 - [0:0] -:awall-logaccept-3 - [0:0] -:awall-logdrop-0 - [0:0] -:awall-logdrop-1 - [0:0] -:awall-logdrop-2 - [0:0] -:awall-logdrop-3 - [0:0] -:awall-logdrop-4 - [0:0] -:awall-logpass-0 - [0:0] -:awall-logpass-1 - [0:0] -:awall-logpass-2 - [0:0] -:awall-logpass-3 - [0:0] -A FORWARD -j awall-FORWARD -A INPUT -j awall-INPUT -A OUTPUT -j awall-OUTPUT -A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A awall-FORWARD -j ACCEPT --A awall-FORWARD -j awall-logdrop-0 --A awall-FORWARD --A awall-FORWARD -j ACCEPT --A awall-FORWARD -j DROP --A awall-FORWARD --A awall-FORWARD -j awall-logaccept-0 --A awall-FORWARD -j awall-logdrop-1 --A awall-FORWARD -j awall-logpass-0 --A awall-FORWARD -j awall-logaccept-1 --A awall-FORWARD -j awall-logdrop-2 --A awall-FORWARD -j awall-logpass-1 --A awall-FORWARD -j awall-logaccept-2 --A awall-FORWARD -j awall-logdrop-3 --A awall-FORWARD -j awall-logpass-2 --A awall-FORWARD -j ACCEPT --A awall-FORWARD -j DROP --A awall-FORWARD --A awall-FORWARD -j awall-logaccept-3 --A awall-FORWARD -j awall-logdrop-4 --A awall-FORWARD -j awall-logpass-3 -A awall-FORWARD -i eth0 -j ACCEPT -A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -779,53 +512,11 @@ hash:net family inet -A awall-INPUT -m limit --limit 1/second -j LOG -A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A awall-INPUT -i lo -j ACCEPT --A awall-INPUT -j ACCEPT --A awall-INPUT -j awall-logdrop-0 --A awall-INPUT --A awall-INPUT -j ACCEPT --A awall-INPUT -j DROP --A awall-INPUT --A awall-INPUT -j awall-logaccept-0 --A awall-INPUT -j awall-logdrop-1 --A awall-INPUT -j awall-logpass-0 --A awall-INPUT -j awall-logaccept-1 --A awall-INPUT -j awall-logdrop-2 --A awall-INPUT -j awall-logpass-1 --A awall-INPUT -j awall-logaccept-2 --A awall-INPUT -j awall-logdrop-3 --A awall-INPUT -j awall-logpass-2 --A awall-INPUT -j ACCEPT --A awall-INPUT -j DROP --A awall-INPUT --A awall-INPUT -j awall-logaccept-3 --A awall-INPUT -j awall-logdrop-4 --A awall-INPUT -j awall-logpass-3 -A awall-INPUT -i eth0 -j ACCEPT -A awall-INPUT -j ACCEPT -A awall-INPUT -p icmp -j awall-icmp-routing -A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A awall-OUTPUT -o lo -j ACCEPT --A awall-OUTPUT -j ACCEPT --A awall-OUTPUT -j awall-logdrop-0 --A awall-OUTPUT --A awall-OUTPUT -j ACCEPT --A awall-OUTPUT -j DROP --A awall-OUTPUT --A awall-OUTPUT -j awall-logaccept-0 --A awall-OUTPUT -j awall-logdrop-1 --A awall-OUTPUT -j awall-logpass-0 --A awall-OUTPUT -j awall-logaccept-1 --A awall-OUTPUT -j awall-logdrop-2 --A awall-OUTPUT -j awall-logpass-1 --A awall-OUTPUT -j awall-logaccept-2 --A awall-OUTPUT -j awall-logdrop-3 --A awall-OUTPUT -j awall-logpass-2 --A awall-OUTPUT -j ACCEPT --A awall-OUTPUT -j DROP --A awall-OUTPUT --A awall-OUTPUT -j awall-logaccept-3 --A awall-OUTPUT -j awall-logdrop-4 --A awall-OUTPUT -j awall-logpass-3 -A awall-OUTPUT -m limit --limit 12/minute -j ULOG -A awall-OUTPUT -j ACCEPT -A awall-OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -833,31 +524,6 @@ hash:net family inet -A awall-icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A awall-icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A awall-icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A awall-logaccept-0 -m limit --limit 1/second -j LOG --A awall-logaccept-0 -j ACCEPT --A awall-logaccept-1 -j LOG --A awall-logaccept-1 -j ACCEPT --A awall-logaccept-2 -j TEE --gateway 10.0.0.1 --A awall-logaccept-2 -j TEE --gateway 10.0.0.2 --A awall-logaccept-2 -j ACCEPT --A awall-logaccept-3 -m limit --limit 12/minute -j ULOG --A awall-logaccept-3 -j ACCEPT --A awall-logdrop-0 -m limit --limit 1/second -j LOG --A awall-logdrop-0 -j DROP --A awall-logdrop-1 -m limit --limit 1/second -j LOG --A awall-logdrop-1 -j DROP --A awall-logdrop-2 -j LOG --A awall-logdrop-2 -j DROP --A awall-logdrop-3 -j TEE --gateway 10.0.0.1 --A awall-logdrop-3 -j TEE --gateway 10.0.0.2 --A awall-logdrop-3 -j DROP --A awall-logdrop-4 -m limit --limit 12/minute -j ULOG --A awall-logdrop-4 -j DROP --A awall-logpass-0 -m limit --limit 1/second -j LOG --A awall-logpass-1 -j LOG --A awall-logpass-2 -j TEE --gateway 10.0.0.1 --A awall-logpass-2 -j TEE --gateway 10.0.0.2 --A awall-logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] @@ -927,42 +593,10 @@ COMMIT :awall-INPUT - [0:0] :awall-OUTPUT - [0:0] :awall-icmp-routing - [0:0] -:awall-logaccept-0 - [0:0] -:awall-logaccept-1 - [0:0] -:awall-logaccept-2 - [0:0] -:awall-logaccept-3 - [0:0] -:awall-logdrop-0 - [0:0] -:awall-logdrop-1 - [0:0] -:awall-logdrop-2 - [0:0] -:awall-logdrop-3 - [0:0] -:awall-logdrop-4 - [0:0] -:awall-logpass-0 - [0:0] -:awall-logpass-1 - [0:0] -:awall-logpass-2 - [0:0] -A FORWARD -j awall-FORWARD -A INPUT -j awall-INPUT -A OUTPUT -j awall-OUTPUT -A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A awall-FORWARD -j ACCEPT --A awall-FORWARD -j awall-logdrop-0 --A awall-FORWARD --A awall-FORWARD -j ACCEPT --A awall-FORWARD -j DROP --A awall-FORWARD --A awall-FORWARD -j awall-logaccept-0 --A awall-FORWARD -j awall-logdrop-1 --A awall-FORWARD -j awall-logpass-0 --A awall-FORWARD -j awall-logaccept-1 --A awall-FORWARD -j awall-logdrop-2 --A awall-FORWARD -j awall-logpass-1 --A awall-FORWARD -j awall-logaccept-2 --A awall-FORWARD -j awall-logdrop-3 --A awall-FORWARD -j awall-logpass-2 --A awall-FORWARD -j ACCEPT --A awall-FORWARD -j DROP --A awall-FORWARD --A awall-FORWARD -j awall-logaccept-3 --A awall-FORWARD -j awall-logdrop-4 -A awall-FORWARD -i eth0 -j ACCEPT -A awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -994,80 +628,18 @@ COMMIT -A awall-INPUT -m limit --limit 1/second -j LOG -A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A awall-INPUT -i lo -j ACCEPT --A awall-INPUT -j ACCEPT --A awall-INPUT -j awall-logdrop-0 --A awall-INPUT --A awall-INPUT -j ACCEPT --A awall-INPUT -j DROP --A awall-INPUT --A awall-INPUT -j awall-logaccept-0 --A awall-INPUT -j awall-logdrop-1 --A awall-INPUT -j awall-logpass-0 --A awall-INPUT -j awall-logaccept-1 --A awall-INPUT -j awall-logdrop-2 --A awall-INPUT -j awall-logpass-1 --A awall-INPUT -j awall-logaccept-2 --A awall-INPUT -j awall-logdrop-3 --A awall-INPUT -j awall-logpass-2 --A awall-INPUT -j ACCEPT --A awall-INPUT -j DROP --A awall-INPUT --A awall-INPUT -j awall-logaccept-3 --A awall-INPUT -j awall-logdrop-4 -A awall-INPUT -i eth0 -j ACCEPT -A awall-INPUT -j ACCEPT -A awall-INPUT -p icmpv6 -j ACCEPT -A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A awall-OUTPUT -o lo -j ACCEPT -A awall-OUTPUT -j ACCEPT --A awall-OUTPUT -j awall-logdrop-0 --A awall-OUTPUT --A awall-OUTPUT -j ACCEPT --A awall-OUTPUT -j DROP --A awall-OUTPUT --A awall-OUTPUT -j awall-logaccept-0 --A awall-OUTPUT -j awall-logdrop-1 --A awall-OUTPUT -j awall-logpass-0 --A awall-OUTPUT -j awall-logaccept-1 --A awall-OUTPUT -j awall-logdrop-2 --A awall-OUTPUT -j awall-logpass-1 --A awall-OUTPUT -j awall-logaccept-2 --A awall-OUTPUT -j awall-logdrop-3 --A awall-OUTPUT -j awall-logpass-2 --A awall-OUTPUT -j ACCEPT --A awall-OUTPUT -j DROP --A awall-OUTPUT --A awall-OUTPUT -j awall-logaccept-3 --A awall-OUTPUT -j awall-logdrop-4 --A awall-OUTPUT -j ACCEPT -A awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A awall-OUTPUT -p icmpv6 -j ACCEPT -A awall-icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A awall-icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A awall-icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A awall-icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A awall-logaccept-0 -m limit --limit 1/second -j LOG --A awall-logaccept-0 -j ACCEPT --A awall-logaccept-1 -j LOG --A awall-logaccept-1 -j TEE --gateway fc00::1 --A awall-logaccept-1 -j ACCEPT --A awall-logaccept-2 -j TEE --gateway fc00::2 --A awall-logaccept-2 -j ACCEPT --A awall-logaccept-3 -j ACCEPT --A awall-logdrop-0 -m limit --limit 1/second -j LOG --A awall-logdrop-0 -j DROP --A awall-logdrop-1 -m limit --limit 1/second -j LOG --A awall-logdrop-1 -j DROP --A awall-logdrop-2 -j LOG --A awall-logdrop-2 -j TEE --gateway fc00::1 --A awall-logdrop-2 -j DROP --A awall-logdrop-3 -j TEE --gateway fc00::2 --A awall-logdrop-3 -j DROP --A awall-logdrop-4 -j DROP --A awall-logpass-0 -m limit --limit 1/second -j LOG --A awall-logpass-1 -j LOG --A awall-logpass-1 -j TEE --gateway fc00::1 --A awall-logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/dedicated/rules-save b/test/output/dedicated/rules-save index 614ec46..e8ddbd8 100644 --- a/test/output/dedicated/rules-save +++ b/test/output/dedicated/rules-save @@ -7,44 +7,10 @@ :awall-INPUT - [0:0] :awall-OUTPUT - [0:0] :awall-icmp-routing - [0:0] -:awall-logaccept-0 - [0:0] -:awall-logaccept-1 - [0:0] -:awall-logaccept-2 - [0:0] -:awall-logaccept-3 - [0:0] -:awall-logdrop-0 - [0:0] -:awall-logdrop-1 - [0:0] -:awall-logdrop-2 - [0:0] -:awall-logdrop-3 - [0:0] -:awall-logdrop-4 - [0:0] -:awall-logpass-0 - [0:0] -:awall-logpass-1 - [0:0] -:awall-logpass-2 - [0:0] -:awall-logpass-3 - [0:0] -A FORWARD -j awall-FORWARD -A INPUT -j awall-INPUT -A OUTPUT -j awall-OUTPUT -A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A awall-FORWARD -j ACCEPT --A awall-FORWARD -j awall-logdrop-0 --A awall-FORWARD --A awall-FORWARD -j ACCEPT --A awall-FORWARD -j DROP --A awall-FORWARD --A awall-FORWARD -j awall-logaccept-0 --A awall-FORWARD -j awall-logdrop-1 --A awall-FORWARD -j awall-logpass-0 --A awall-FORWARD -j awall-logaccept-1 --A awall-FORWARD -j awall-logdrop-2 --A awall-FORWARD -j awall-logpass-1 --A awall-FORWARD -j awall-logaccept-2 --A awall-FORWARD -j awall-logdrop-3 --A awall-FORWARD -j awall-logpass-2 --A awall-FORWARD -j ACCEPT --A awall-FORWARD -j DROP --A awall-FORWARD --A awall-FORWARD -j awall-logaccept-3 --A awall-FORWARD -j awall-logdrop-4 --A awall-FORWARD -j awall-logpass-3 -A awall-FORWARD -i eth0 -j ACCEPT -A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -102,53 +68,11 @@ -A awall-INPUT -m limit --limit 1/second -j LOG -A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A awall-INPUT -i lo -j ACCEPT --A awall-INPUT -j ACCEPT --A awall-INPUT -j awall-logdrop-0 --A awall-INPUT --A awall-INPUT -j ACCEPT --A awall-INPUT -j DROP --A awall-INPUT --A awall-INPUT -j awall-logaccept-0 --A awall-INPUT -j awall-logdrop-1 --A awall-INPUT -j awall-logpass-0 --A awall-INPUT -j awall-logaccept-1 --A awall-INPUT -j awall-logdrop-2 --A awall-INPUT -j awall-logpass-1 --A awall-INPUT -j awall-logaccept-2 --A awall-INPUT -j awall-logdrop-3 --A awall-INPUT -j awall-logpass-2 --A awall-INPUT -j ACCEPT --A awall-INPUT -j DROP --A awall-INPUT --A awall-INPUT -j awall-logaccept-3 --A awall-INPUT -j awall-logdrop-4 --A awall-INPUT -j awall-logpass-3 -A awall-INPUT -i eth0 -j ACCEPT -A awall-INPUT -j ACCEPT -A awall-INPUT -p icmp -j awall-icmp-routing -A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A awall-OUTPUT -o lo -j ACCEPT --A awall-OUTPUT -j ACCEPT --A awall-OUTPUT -j awall-logdrop-0 --A awall-OUTPUT --A awall-OUTPUT -j ACCEPT --A awall-OUTPUT -j DROP --A awall-OUTPUT --A awall-OUTPUT -j awall-logaccept-0 --A awall-OUTPUT -j awall-logdrop-1 --A awall-OUTPUT -j awall-logpass-0 --A awall-OUTPUT -j awall-logaccept-1 --A awall-OUTPUT -j awall-logdrop-2 --A awall-OUTPUT -j awall-logpass-1 --A awall-OUTPUT -j awall-logaccept-2 --A awall-OUTPUT -j awall-logdrop-3 --A awall-OUTPUT -j awall-logpass-2 --A awall-OUTPUT -j ACCEPT --A awall-OUTPUT -j DROP --A awall-OUTPUT --A awall-OUTPUT -j awall-logaccept-3 --A awall-OUTPUT -j awall-logdrop-4 --A awall-OUTPUT -j awall-logpass-3 -A awall-OUTPUT -m limit --limit 12/minute -j ULOG -A awall-OUTPUT -j ACCEPT -A awall-OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -156,31 +80,6 @@ -A awall-icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A awall-icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A awall-icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A awall-logaccept-0 -m limit --limit 1/second -j LOG --A awall-logaccept-0 -j ACCEPT --A awall-logaccept-1 -j LOG --A awall-logaccept-1 -j ACCEPT --A awall-logaccept-2 -j TEE --gateway 10.0.0.1 --A awall-logaccept-2 -j TEE --gateway 10.0.0.2 --A awall-logaccept-2 -j ACCEPT --A awall-logaccept-3 -m limit --limit 12/minute -j ULOG --A awall-logaccept-3 -j ACCEPT --A awall-logdrop-0 -m limit --limit 1/second -j LOG --A awall-logdrop-0 -j DROP --A awall-logdrop-1 -m limit --limit 1/second -j LOG --A awall-logdrop-1 -j DROP --A awall-logdrop-2 -j LOG --A awall-logdrop-2 -j DROP --A awall-logdrop-3 -j TEE --gateway 10.0.0.1 --A awall-logdrop-3 -j TEE --gateway 10.0.0.2 --A awall-logdrop-3 -j DROP --A awall-logdrop-4 -m limit --limit 12/minute -j ULOG --A awall-logdrop-4 -j DROP --A awall-logpass-0 -m limit --limit 1/second -j LOG --A awall-logpass-1 -j LOG --A awall-logpass-2 -j TEE --gateway 10.0.0.1 --A awall-logpass-2 -j TEE --gateway 10.0.0.2 --A awall-logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] diff --git a/test/output/dedicated/rules6-save b/test/output/dedicated/rules6-save index 48e7802..072bfa2 100644 --- a/test/output/dedicated/rules6-save +++ b/test/output/dedicated/rules6-save @@ -7,42 +7,10 @@ :awall-INPUT - [0:0] :awall-OUTPUT - [0:0] :awall-icmp-routing - [0:0] -:awall-logaccept-0 - [0:0] -:awall-logaccept-1 - [0:0] -:awall-logaccept-2 - [0:0] -:awall-logaccept-3 - [0:0] -:awall-logdrop-0 - [0:0] -:awall-logdrop-1 - [0:0] -:awall-logdrop-2 - [0:0] -:awall-logdrop-3 - [0:0] -:awall-logdrop-4 - [0:0] -:awall-logpass-0 - [0:0] -:awall-logpass-1 - [0:0] -:awall-logpass-2 - [0:0] -A FORWARD -j awall-FORWARD -A INPUT -j awall-INPUT -A OUTPUT -j awall-OUTPUT -A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A awall-FORWARD -j ACCEPT --A awall-FORWARD -j awall-logdrop-0 --A awall-FORWARD --A awall-FORWARD -j ACCEPT --A awall-FORWARD -j DROP --A awall-FORWARD --A awall-FORWARD -j awall-logaccept-0 --A awall-FORWARD -j awall-logdrop-1 --A awall-FORWARD -j awall-logpass-0 --A awall-FORWARD -j awall-logaccept-1 --A awall-FORWARD -j awall-logdrop-2 --A awall-FORWARD -j awall-logpass-1 --A awall-FORWARD -j awall-logaccept-2 --A awall-FORWARD -j awall-logdrop-3 --A awall-FORWARD -j awall-logpass-2 --A awall-FORWARD -j ACCEPT --A awall-FORWARD -j DROP --A awall-FORWARD --A awall-FORWARD -j awall-logaccept-3 --A awall-FORWARD -j awall-logdrop-4 -A awall-FORWARD -i eth0 -j ACCEPT -A awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -74,80 +42,18 @@ -A awall-INPUT -m limit --limit 1/second -j LOG -A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A awall-INPUT -i lo -j ACCEPT --A awall-INPUT -j ACCEPT --A awall-INPUT -j awall-logdrop-0 --A awall-INPUT --A awall-INPUT -j ACCEPT --A awall-INPUT -j DROP --A awall-INPUT --A awall-INPUT -j awall-logaccept-0 --A awall-INPUT -j awall-logdrop-1 --A awall-INPUT -j awall-logpass-0 --A awall-INPUT -j awall-logaccept-1 --A awall-INPUT -j awall-logdrop-2 --A awall-INPUT -j awall-logpass-1 --A awall-INPUT -j awall-logaccept-2 --A awall-INPUT -j awall-logdrop-3 --A awall-INPUT -j awall-logpass-2 --A awall-INPUT -j ACCEPT --A awall-INPUT -j DROP --A awall-INPUT --A awall-INPUT -j awall-logaccept-3 --A awall-INPUT -j awall-logdrop-4 -A awall-INPUT -i eth0 -j ACCEPT -A awall-INPUT -j ACCEPT -A awall-INPUT -p icmpv6 -j ACCEPT -A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A awall-OUTPUT -o lo -j ACCEPT -A awall-OUTPUT -j ACCEPT --A awall-OUTPUT -j awall-logdrop-0 --A awall-OUTPUT --A awall-OUTPUT -j ACCEPT --A awall-OUTPUT -j DROP --A awall-OUTPUT --A awall-OUTPUT -j awall-logaccept-0 --A awall-OUTPUT -j awall-logdrop-1 --A awall-OUTPUT -j awall-logpass-0 --A awall-OUTPUT -j awall-logaccept-1 --A awall-OUTPUT -j awall-logdrop-2 --A awall-OUTPUT -j awall-logpass-1 --A awall-OUTPUT -j awall-logaccept-2 --A awall-OUTPUT -j awall-logdrop-3 --A awall-OUTPUT -j awall-logpass-2 --A awall-OUTPUT -j ACCEPT --A awall-OUTPUT -j DROP --A awall-OUTPUT --A awall-OUTPUT -j awall-logaccept-3 --A awall-OUTPUT -j awall-logdrop-4 --A awall-OUTPUT -j ACCEPT -A awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A awall-OUTPUT -p icmpv6 -j ACCEPT -A awall-icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A awall-icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A awall-icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A awall-icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A awall-logaccept-0 -m limit --limit 1/second -j LOG --A awall-logaccept-0 -j ACCEPT --A awall-logaccept-1 -j LOG --A awall-logaccept-1 -j TEE --gateway fc00::1 --A awall-logaccept-1 -j ACCEPT --A awall-logaccept-2 -j TEE --gateway fc00::2 --A awall-logaccept-2 -j ACCEPT --A awall-logaccept-3 -j ACCEPT --A awall-logdrop-0 -m limit --limit 1/second -j LOG --A awall-logdrop-0 -j DROP --A awall-logdrop-1 -m limit --limit 1/second -j LOG --A awall-logdrop-1 -j DROP --A awall-logdrop-2 -j LOG --A awall-logdrop-2 -j TEE --gateway fc00::1 --A awall-logdrop-2 -j DROP --A awall-logdrop-3 -j TEE --gateway fc00::2 --A awall-logdrop-3 -j DROP --A awall-logdrop-4 -j DROP --A awall-logpass-0 -m limit --limit 1/second -j LOG --A awall-logpass-1 -j LOG --A awall-logpass-1 -j TEE --gateway fc00::1 --A awall-logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/filter-dnat/dump b/test/output/filter-dnat/dump index 9868823..1ba647a 100644 --- a/test/output/filter-dnat/dump +++ b/test/output/filter-dnat/dump @@ -12,356 +12,123 @@ Dnat 2 {"in":"B"} inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT -Filter 1 {"dest":"192.168.0.1","dnat":"10.0.0.1","in":"A","service":"smtp"} -(filter-dnat) - inet/filter/FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT - inet/filter/INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT - inet/nat/PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1 - -Filter 2 {"dest":"192.168.0.2","dnat":{"addr":"10.0.0.2","port":8080},"in":"A","service":"http"} -(filter-dnat) - inet/filter/FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT - inet/filter/INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT - inet/nat/PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080 - -Filter 3 {"dnat":{"addr":"10.0.0.3","port":"8022-8033"},"in":"A","service":"ssh"} -(filter-dnat) - inet/filter/FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT - inet/filter/INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT - inet/nat/PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033 - inet6/filter/FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT - inet6/filter/INPUT -i eth0 -p tcp --dport 22 -j ACCEPT - -Filter 4 {} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 5 {"action":"drop"} -(log) - inet/filter/FORWARD -j logdrop-0 - inet/filter/INPUT -j logdrop-0 - inet/filter/OUTPUT -j logdrop-0 - inet/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet/filter/logdrop-0 -j DROP - inet6/filter/FORWARD -j logdrop-0 - inet6/filter/INPUT -j logdrop-0 - inet6/filter/OUTPUT -j logdrop-0 - inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-0 -j DROP - -Filter 6 {"action":"pass"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 7 {"log":false} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 8 {"action":"drop","log":false} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 9 {"action":"pass","log":false} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 10 {"log":true} -(log) - inet/filter/FORWARD -j logaccept-0 - inet/filter/INPUT -j logaccept-0 - inet/filter/OUTPUT -j logaccept-0 - inet/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet/filter/logaccept-0 -j ACCEPT - inet6/filter/FORWARD -j logaccept-0 - inet6/filter/INPUT -j logaccept-0 - inet6/filter/OUTPUT -j logaccept-0 - inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet6/filter/logaccept-0 -j ACCEPT - -Filter 11 {"action":"drop","log":true} -(log) - inet/filter/FORWARD -j logdrop-1 - inet/filter/INPUT -j logdrop-1 - inet/filter/OUTPUT -j logdrop-1 - inet/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet/filter/logdrop-1 -j DROP - inet6/filter/FORWARD -j logdrop-1 - inet6/filter/INPUT -j logdrop-1 - inet6/filter/OUTPUT -j logdrop-1 - inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-1 -j DROP - -Filter 12 {"action":"pass","log":true} -(log) - inet/filter/FORWARD -j logpass-0 - inet/filter/INPUT -j logpass-0 - inet/filter/OUTPUT -j logpass-0 - inet/filter/logpass-0 -m limit --limit 1/second -j LOG - inet6/filter/FORWARD -j logpass-0 - inet6/filter/INPUT -j logpass-0 - inet6/filter/OUTPUT -j logpass-0 - inet6/filter/logpass-0 -m limit --limit 1/second -j LOG - -Filter 13 {"log":"dual"} -(log) - inet/filter/FORWARD -j logaccept-1 - inet/filter/INPUT -j logaccept-1 - inet/filter/OUTPUT -j logaccept-1 - inet/filter/logaccept-1 -j LOG - inet/filter/logaccept-1 -j ACCEPT - inet6/filter/FORWARD -j logaccept-1 - inet6/filter/INPUT -j logaccept-1 - inet6/filter/OUTPUT -j logaccept-1 - inet6/filter/logaccept-1 -j LOG - inet6/filter/logaccept-1 -j TEE --gateway fc00::1 - inet6/filter/logaccept-1 -j ACCEPT - -Filter 14 {"action":"drop","log":"dual"} -(log) - inet/filter/FORWARD -j logdrop-2 - inet/filter/INPUT -j logdrop-2 - inet/filter/OUTPUT -j logdrop-2 - inet/filter/logdrop-2 -j LOG - inet/filter/logdrop-2 -j DROP - inet6/filter/FORWARD -j logdrop-2 - inet6/filter/INPUT -j logdrop-2 - inet6/filter/OUTPUT -j logdrop-2 - inet6/filter/logdrop-2 -j LOG - inet6/filter/logdrop-2 -j TEE --gateway fc00::1 - inet6/filter/logdrop-2 -j DROP - -Filter 15 {"action":"pass","log":"dual"} -(log) - inet/filter/FORWARD -j logpass-1 - inet/filter/INPUT -j logpass-1 - inet/filter/OUTPUT -j logpass-1 - inet/filter/logpass-1 -j LOG - inet6/filter/FORWARD -j logpass-1 - inet6/filter/INPUT -j logpass-1 - inet6/filter/OUTPUT -j logpass-1 - inet6/filter/logpass-1 -j LOG - inet6/filter/logpass-1 -j TEE --gateway fc00::1 - -Filter 16 {"log":"mirror"} -(log) - inet/filter/FORWARD -j logaccept-2 - inet/filter/INPUT -j logaccept-2 - inet/filter/OUTPUT -j logaccept-2 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2 - inet/filter/logaccept-2 -j ACCEPT - inet6/filter/FORWARD -j logaccept-2 - inet6/filter/INPUT -j logaccept-2 - inet6/filter/OUTPUT -j logaccept-2 - inet6/filter/logaccept-2 -j TEE --gateway fc00::2 - inet6/filter/logaccept-2 -j ACCEPT - -Filter 17 {"action":"drop","log":"mirror"} -(log) - inet/filter/FORWARD -j logdrop-3 - inet/filter/INPUT -j logdrop-3 - inet/filter/OUTPUT -j logdrop-3 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2 - inet/filter/logdrop-3 -j DROP - inet6/filter/FORWARD -j logdrop-3 - inet6/filter/INPUT -j logdrop-3 - inet6/filter/OUTPUT -j logdrop-3 - inet6/filter/logdrop-3 -j TEE --gateway fc00::2 - inet6/filter/logdrop-3 -j DROP - -Filter 18 {"action":"pass","log":"mirror"} -(log) - inet/filter/FORWARD -j logpass-2 - inet/filter/INPUT -j logpass-2 - inet/filter/OUTPUT -j logpass-2 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.1 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.2 - inet6/filter/FORWARD -j logpass-2 - inet6/filter/INPUT -j logpass-2 - inet6/filter/OUTPUT -j logpass-2 - inet6/filter/logpass-2 -j TEE --gateway fc00::2 - -Filter 19 {"log":"none"} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 20 {"action":"drop","log":"none"} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 21 {"action":"pass","log":"none"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 22 {"log":"ulog"} -(log) - inet/filter/FORWARD -j logaccept-3 - inet/filter/INPUT -j logaccept-3 - inet/filter/OUTPUT -j logaccept-3 - inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG - inet/filter/logaccept-3 -j ACCEPT - inet6/filter/FORWARD -j logaccept-3 - inet6/filter/INPUT -j logaccept-3 - inet6/filter/OUTPUT -j logaccept-3 - inet6/filter/logaccept-3 -j ACCEPT - -Filter 23 {"action":"drop","log":"ulog"} -(log) - inet/filter/FORWARD -j logdrop-4 - inet/filter/INPUT -j logdrop-4 - inet/filter/OUTPUT -j logdrop-4 - inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG - inet/filter/logdrop-4 -j DROP - inet6/filter/FORWARD -j logdrop-4 - inet6/filter/INPUT -j logdrop-4 - inet6/filter/OUTPUT -j logdrop-4 - inet6/filter/logdrop-4 -j DROP - -Filter 24 {"action":"pass","log":"ulog"} -(log) - inet/filter/FORWARD -j logpass-3 - inet/filter/INPUT -j logpass-3 - inet/filter/OUTPUT -j logpass-3 - inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG - -Filter 25 {"action":"pass","in":"_fw","log":"ulog"} -(log) - inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG - -Filter 26 {"in":["_fw","A"]} -(zone) - inet/filter/FORWARD -i eth0 -j ACCEPT - inet/filter/INPUT -i eth0 -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -i eth0 -j ACCEPT - inet6/filter/INPUT -i eth0 -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 27 {"in":"B","out":"C"} -(zone) - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +Filter 1 {"dest":"192.168.0.1","dnat":"10.0.0.1","in":"A","service":"smtp"} +(filter-dnat) + inet/filter/FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT + inet/filter/INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT + inet/nat/PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1 + +Filter 2 {"dest":"192.168.0.2","dnat":{"addr":"10.0.0.2","port":8080},"in":"A","service":"http"} +(filter-dnat) + inet/filter/FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT + inet/filter/INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT + inet/nat/PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080 + +Filter 3 {"dnat":{"addr":"10.0.0.3","port":"8022-8033"},"in":"A","service":"ssh"} +(filter-dnat) + inet/filter/FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT + inet/filter/INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT + inet/nat/PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033 + inet6/filter/FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT + inet6/filter/INPUT -i eth0 -p tcp --dport 22 -j ACCEPT + +Filter 4 {"action":"pass","in":"_fw","log":"ulog"} +(log) + inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG + +Filter 5 {"in":["_fw","A"]} +(zone) + inet/filter/FORWARD -i eth0 -j ACCEPT + inet/filter/INPUT -i eth0 -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/FORWARD -i eth0 -j ACCEPT + inet6/filter/INPUT -i eth0 -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 6 {"in":"B","out":"C"} +(zone) + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT -Filter 28 {"out":["_fw","B"]} -(zone) - inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT - -Filter 29 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} -(zone) - inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT +Filter 7 {"out":["_fw","B"]} +(zone) + inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT + +Filter 8 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +(zone) + inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT Ipset awall-masquerade {"family":"inet","type":"hash:net"} @@ -701,44 +468,10 @@ hash:net family inet :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT -A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT -A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -799,53 +532,11 @@ hash:net family inet -A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -853,31 +544,6 @@ hash:net family inet -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] @@ -925,40 +591,8 @@ COMMIT :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -991,80 +625,18 @@ COMMIT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/filter-dnat/rules-save b/test/output/filter-dnat/rules-save index 4ecb0be..30a8278 100644 --- a/test/output/filter-dnat/rules-save +++ b/test/output/filter-dnat/rules-save @@ -4,44 +4,10 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT -A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT -A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -102,53 +68,11 @@ -A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -156,31 +80,6 @@ -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] diff --git a/test/output/filter-dnat/rules6-save b/test/output/filter-dnat/rules6-save index 2dfba33..5542f2a 100644 --- a/test/output/filter-dnat/rules6-save +++ b/test/output/filter-dnat/rules6-save @@ -4,40 +4,8 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -70,80 +38,18 @@ -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/filter-limit/dump b/test/output/filter-limit/dump index 1496458..dcd396d 100644 --- a/test/output/filter-limit/dump +++ b/test/output/filter-limit/dump @@ -59162,244 +59162,11 @@ Filter 3912 {"update-limit":{"addr":"dest","measure":"fl inet6/filter/INPUT -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set inet6/filter/OUTPUT -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -Filter 3913 {} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 3914 {"action":"drop"} -(log) - inet/filter/FORWARD -j logdrop-1650 - inet/filter/INPUT -j logdrop-1650 - inet/filter/OUTPUT -j logdrop-1650 - inet/filter/logdrop-1650 -m limit --limit 1/second -j LOG - inet/filter/logdrop-1650 -j DROP - inet6/filter/FORWARD -j logdrop-1650 - inet6/filter/INPUT -j logdrop-1650 - inet6/filter/OUTPUT -j logdrop-1650 - inet6/filter/logdrop-1650 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-1650 -j DROP - -Filter 3915 {"action":"pass"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 3916 {"log":false} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 3917 {"action":"drop","log":false} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 3918 {"action":"pass","log":false} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 3919 {"log":true} -(log) - inet/filter/FORWARD -j logaccept-66 - inet/filter/INPUT -j logaccept-66 - inet/filter/OUTPUT -j logaccept-66 - inet/filter/logaccept-66 -m limit --limit 1/second -j LOG - inet/filter/logaccept-66 -j ACCEPT - inet6/filter/FORWARD -j logaccept-66 - inet6/filter/INPUT -j logaccept-66 - inet6/filter/OUTPUT -j logaccept-66 - inet6/filter/logaccept-66 -m limit --limit 1/second -j LOG - inet6/filter/logaccept-66 -j ACCEPT - -Filter 3920 {"action":"drop","log":true} -(log) - inet/filter/FORWARD -j logdrop-1651 - inet/filter/INPUT -j logdrop-1651 - inet/filter/OUTPUT -j logdrop-1651 - inet/filter/logdrop-1651 -m limit --limit 1/second -j LOG - inet/filter/logdrop-1651 -j DROP - inet6/filter/FORWARD -j logdrop-1651 - inet6/filter/INPUT -j logdrop-1651 - inet6/filter/OUTPUT -j logdrop-1651 - inet6/filter/logdrop-1651 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-1651 -j DROP - -Filter 3921 {"action":"pass","log":true} -(log) - inet/filter/FORWARD -j logpass-0 - inet/filter/INPUT -j logpass-0 - inet/filter/OUTPUT -j logpass-0 - inet/filter/logpass-0 -m limit --limit 1/second -j LOG - inet6/filter/FORWARD -j logpass-0 - inet6/filter/INPUT -j logpass-0 - inet6/filter/OUTPUT -j logpass-0 - inet6/filter/logpass-0 -m limit --limit 1/second -j LOG - -Filter 3922 {"log":"dual"} -(log) - inet/filter/FORWARD -j logaccept-67 - inet/filter/INPUT -j logaccept-67 - inet/filter/OUTPUT -j logaccept-67 - inet/filter/logaccept-67 -j LOG - inet/filter/logaccept-67 -j ACCEPT - inet6/filter/FORWARD -j logaccept-67 - inet6/filter/INPUT -j logaccept-67 - inet6/filter/OUTPUT -j logaccept-67 - inet6/filter/logaccept-67 -j LOG - inet6/filter/logaccept-67 -j TEE --gateway fc00::1 - inet6/filter/logaccept-67 -j ACCEPT - -Filter 3923 {"action":"drop","log":"dual"} -(log) - inet/filter/FORWARD -j logdrop-1652 - inet/filter/INPUT -j logdrop-1652 - inet/filter/OUTPUT -j logdrop-1652 - inet/filter/logdrop-1652 -j LOG - inet/filter/logdrop-1652 -j DROP - inet6/filter/FORWARD -j logdrop-1652 - inet6/filter/INPUT -j logdrop-1652 - inet6/filter/OUTPUT -j logdrop-1652 - inet6/filter/logdrop-1652 -j LOG - inet6/filter/logdrop-1652 -j TEE --gateway fc00::1 - inet6/filter/logdrop-1652 -j DROP - -Filter 3924 {"action":"pass","log":"dual"} -(log) - inet/filter/FORWARD -j logpass-1 - inet/filter/INPUT -j logpass-1 - inet/filter/OUTPUT -j logpass-1 - inet/filter/logpass-1 -j LOG - inet6/filter/FORWARD -j logpass-1 - inet6/filter/INPUT -j logpass-1 - inet6/filter/OUTPUT -j logpass-1 - inet6/filter/logpass-1 -j LOG - inet6/filter/logpass-1 -j TEE --gateway fc00::1 - -Filter 3925 {"log":"mirror"} -(log) - inet/filter/FORWARD -j logaccept-68 - inet/filter/INPUT -j logaccept-68 - inet/filter/OUTPUT -j logaccept-68 - inet/filter/logaccept-68 -j TEE --gateway 10.0.0.1 - inet/filter/logaccept-68 -j TEE --gateway 10.0.0.2 - inet/filter/logaccept-68 -j ACCEPT - inet6/filter/FORWARD -j logaccept-68 - inet6/filter/INPUT -j logaccept-68 - inet6/filter/OUTPUT -j logaccept-68 - inet6/filter/logaccept-68 -j TEE --gateway fc00::2 - inet6/filter/logaccept-68 -j ACCEPT - -Filter 3926 {"action":"drop","log":"mirror"} -(log) - inet/filter/FORWARD -j logdrop-1653 - inet/filter/INPUT -j logdrop-1653 - inet/filter/OUTPUT -j logdrop-1653 - inet/filter/logdrop-1653 -j TEE --gateway 10.0.0.1 - inet/filter/logdrop-1653 -j TEE --gateway 10.0.0.2 - inet/filter/logdrop-1653 -j DROP - inet6/filter/FORWARD -j logdrop-1653 - inet6/filter/INPUT -j logdrop-1653 - inet6/filter/OUTPUT -j logdrop-1653 - inet6/filter/logdrop-1653 -j TEE --gateway fc00::2 - inet6/filter/logdrop-1653 -j DROP - -Filter 3927 {"action":"pass","log":"mirror"} -(log) - inet/filter/FORWARD -j logpass-2 - inet/filter/INPUT -j logpass-2 - inet/filter/OUTPUT -j logpass-2 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.1 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.2 - inet6/filter/FORWARD -j logpass-2 - inet6/filter/INPUT -j logpass-2 - inet6/filter/OUTPUT -j logpass-2 - inet6/filter/logpass-2 -j TEE --gateway fc00::2 - -Filter 3928 {"log":"none"} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 3929 {"action":"drop","log":"none"} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 3930 {"action":"pass","log":"none"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 3931 {"log":"ulog"} -(log) - inet/filter/FORWARD -j logaccept-69 - inet/filter/INPUT -j logaccept-69 - inet/filter/OUTPUT -j logaccept-69 - inet/filter/logaccept-69 -m limit --limit 12/minute -j ULOG - inet/filter/logaccept-69 -j ACCEPT - inet6/filter/FORWARD -j logaccept-69 - inet6/filter/INPUT -j logaccept-69 - inet6/filter/OUTPUT -j logaccept-69 - inet6/filter/logaccept-69 -j ACCEPT - -Filter 3932 {"action":"drop","log":"ulog"} -(log) - inet/filter/FORWARD -j logdrop-1654 - inet/filter/INPUT -j logdrop-1654 - inet/filter/OUTPUT -j logdrop-1654 - inet/filter/logdrop-1654 -m limit --limit 12/minute -j ULOG - inet/filter/logdrop-1654 -j DROP - inet6/filter/FORWARD -j logdrop-1654 - inet6/filter/INPUT -j logdrop-1654 - inet6/filter/OUTPUT -j logdrop-1654 - inet6/filter/logdrop-1654 -j DROP - -Filter 3933 {"action":"pass","log":"ulog"} -(log) - inet/filter/FORWARD -j logpass-3 - inet/filter/INPUT -j logpass-3 - inet/filter/OUTPUT -j logpass-3 - inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG - -Filter 3934 {"action":"pass","in":"_fw","log":"ulog"} +Filter 3913 {"action":"pass","in":"_fw","log":"ulog"} (log) inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG -Filter 3935 {"in":["_fw","A"]} +Filter 3914 {"in":["_fw","A"]} (zone) inet/filter/FORWARD -i eth0 -j ACCEPT inet/filter/INPUT -i eth0 -j ACCEPT @@ -59408,12 +59175,12 @@ Filter 3935 {"in":["_fw","A"]} inet6/filter/INPUT -i eth0 -j ACCEPT inet6/filter/OUTPUT -j ACCEPT -Filter 3936 {"in":"B","out":"C"} +Filter 3915 {"in":"B","out":"C"} (zone) inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT -Filter 3937 {"out":["_fw","B"]} +Filter 3916 {"out":["_fw","B"]} (zone) inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT inet/filter/INPUT -j ACCEPT @@ -59422,7 +59189,7 @@ Filter 3937 {"out":["_fw","B"]} inet6/filter/INPUT -j ACCEPT inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -Filter 3938 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +Filter 3917 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} (zone) inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT @@ -63638,10 +63405,6 @@ hash:net family inet :logaccept-63 - [0:0] :logaccept-64 - [0:0] :logaccept-65 - [0:0] -:logaccept-66 - [0:0] -:logaccept-67 - [0:0] -:logaccept-68 - [0:0] -:logaccept-69 - [0:0] :logaccept-7 - [0:0] :logaccept-8 - [0:0] :logaccept-9 - [0:0] @@ -64709,11 +64472,6 @@ hash:net family inet :logdrop-1648 - [0:0] :logdrop-1649 - [0:0] :logdrop-165 - [0:0] -:logdrop-1650 - [0:0] -:logdrop-1651 - [0:0] -:logdrop-1652 - [0:0] -:logdrop-1653 - [0:0] -:logdrop-1654 - [0:0] :logdrop-166 - [0:0] :logdrop-167 - [0:0] :logdrop-168 - [0:0] @@ -66189,10 +65947,6 @@ hash:net family inet :logdrop-ntp-97 - [0:0] :logdrop-ntp-98 - [0:0] :logdrop-ntp-99 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m recent --name user:B --rdest --mask 255.255.255.255 --set -A FORWARD -m recent --name user:B --rsource --mask 255.255.255.255 --set -A FORWARD -j limit-2927 @@ -68664,27 +68418,6 @@ hash:net family inet -A FORWARD -m recent --name user:D --rsource --mask 255.255.252.0 --set -A FORWARD -m recent --name user:A --rsource --mask 255.255.255.255 --set -A FORWARD -m recent --name user:A --rdest --mask 255.255.255.255 --set --A FORWARD -j ACCEPT --A FORWARD -j logdrop-1650 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-66 --A FORWARD -j logdrop-1651 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-67 --A FORWARD -j logdrop-1652 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-68 --A FORWARD -j logdrop-1653 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-69 --A FORWARD -j logdrop-1654 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -71212,27 +70945,6 @@ hash:net family inet -A INPUT -m recent --name user:D --rsource --mask 255.255.252.0 --set -A INPUT -m recent --name user:A --rsource --mask 255.255.255.255 --set -A INPUT -m recent --name user:A --rdest --mask 255.255.255.255 --set --A INPUT -j ACCEPT --A INPUT -j logdrop-1650 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-66 --A INPUT -j logdrop-1651 --A INPUT -j logpass-0 --A INPUT -j logaccept-67 --A INPUT -j logdrop-1652 --A INPUT -j logpass-1 --A INPUT -j logaccept-68 --A INPUT -j logdrop-1653 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-69 --A INPUT -j logdrop-1654 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing @@ -75194,27 +74906,6 @@ hash:net family inet -A OUTPUT -m recent --name user:D --rsource --mask 255.255.252.0 --set -A OUTPUT -m recent --name user:A --rsource --mask 255.255.255.255 --set -A OUTPUT -m recent --name user:A --rdest --mask 255.255.255.255 --set --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-1650 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-66 --A OUTPUT -j logdrop-1651 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-67 --A OUTPUT -j logdrop-1652 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-68 --A OUTPUT -j logdrop-1653 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-69 --A OUTPUT -j logdrop-1654 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -84169,15 +83860,6 @@ hash:net family inet -A logaccept-64 -j ACCEPT -A logaccept-65 -m limit --limit 12/minute -j ULOG -A logaccept-65 -j ACCEPT --A logaccept-66 -m limit --limit 1/second -j LOG --A logaccept-66 -j ACCEPT --A logaccept-67 -j LOG --A logaccept-67 -j ACCEPT --A logaccept-68 -j TEE --gateway 10.0.0.1 --A logaccept-68 -j TEE --gateway 10.0.0.2 --A logaccept-68 -j ACCEPT --A logaccept-69 -m limit --limit 12/minute -j ULOG --A logaccept-69 -j ACCEPT -A logaccept-7 -j TEE --gateway 10.0.0.1 -A logaccept-7 -j TEE --gateway 10.0.0.2 -A logaccept-7 -j ACCEPT @@ -86682,17 +86364,6 @@ hash:net family inet -A logdrop-165 -j TEE --gateway 10.0.0.1 -A logdrop-165 -j TEE --gateway 10.0.0.2 -A logdrop-165 -j DROP --A logdrop-1650 -m limit --limit 1/second -j LOG --A logdrop-1650 -j DROP --A logdrop-1651 -m limit --limit 1/second -j LOG --A logdrop-1651 -j DROP --A logdrop-1652 -j LOG --A logdrop-1652 -j DROP --A logdrop-1653 -j TEE --gateway 10.0.0.1 --A logdrop-1653 -j TEE --gateway 10.0.0.2 --A logdrop-1653 -j DROP --A logdrop-1654 -m limit --limit 12/minute -j ULOG --A logdrop-1654 -j DROP -A logdrop-166 -j TEE --gateway 10.0.0.1 -A logdrop-166 -j TEE --gateway 10.0.0.2 -A logdrop-166 -j DROP @@ -90107,11 +89778,6 @@ hash:net family inet -A logdrop-ntp-98 -j DROP -A logdrop-ntp-99 -m limit --limit 1/second -j LOG -A logdrop-ntp-99 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] @@ -95449,10 +95115,6 @@ COMMIT :logaccept-63 - [0:0] :logaccept-64 - [0:0] :logaccept-65 - [0:0] -:logaccept-66 - [0:0] -:logaccept-67 - [0:0] -:logaccept-68 - [0:0] -:logaccept-69 - [0:0] :logaccept-7 - [0:0] :logaccept-8 - [0:0] :logaccept-9 - [0:0] @@ -96520,11 +96182,6 @@ COMMIT :logdrop-1648 - [0:0] :logdrop-1649 - [0:0] :logdrop-165 - [0:0] -:logdrop-1650 - [0:0] -:logdrop-1651 - [0:0] -:logdrop-1652 - [0:0] -:logdrop-1653 - [0:0] -:logdrop-1654 - [0:0] :logdrop-166 - [0:0] :logdrop-167 - [0:0] :logdrop-168 - [0:0] @@ -98000,9 +97657,6 @@ COMMIT :logdrop-ntp-97 - [0:0] :logdrop-ntp-98 - [0:0] :logdrop-ntp-99 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A FORWARD -m recent --name user:B --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A FORWARD -j limit-2927 @@ -100474,26 +100128,6 @@ COMMIT -A FORWARD -m recent --name user:D --rsource --mask ffff:ffff:ffff:ffc0:: --set -A FORWARD -m recent --name user:A --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A FORWARD -m recent --name user:A --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set --A FORWARD -j ACCEPT --A FORWARD -j logdrop-1650 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-66 --A FORWARD -j logdrop-1651 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-67 --A FORWARD -j logdrop-1652 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-68 --A FORWARD -j logdrop-1653 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-69 --A FORWARD -j logdrop-1654 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -102995,26 +102629,6 @@ COMMIT -A INPUT -m recent --name user:D --rsource --mask ffff:ffff:ffff:ffc0:: --set -A INPUT -m recent --name user:A --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A INPUT -m recent --name user:A --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set --A INPUT -j ACCEPT --A INPUT -j logdrop-1650 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-66 --A INPUT -j logdrop-1651 --A INPUT -j logpass-0 --A INPUT -j logaccept-67 --A INPUT -j logdrop-1652 --A INPUT -j logpass-1 --A INPUT -j logaccept-68 --A INPUT -j logdrop-1653 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-69 --A INPUT -j logdrop-1654 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT @@ -106977,26 +106591,6 @@ COMMIT -A OUTPUT -m recent --name user:A --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A OUTPUT -m recent --name user:A --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-1650 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-66 --A OUTPUT -j logdrop-1651 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-67 --A OUTPUT -j logdrop-1652 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-68 --A OUTPUT -j logdrop-1653 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-69 --A OUTPUT -j logdrop-1654 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT @@ -114538,14 +114132,6 @@ COMMIT -A logaccept-64 -j TEE --gateway fc00::2 -A logaccept-64 -j ACCEPT -A logaccept-65 -j ACCEPT --A logaccept-66 -m limit --limit 1/second -j LOG --A logaccept-66 -j ACCEPT --A logaccept-67 -j LOG --A logaccept-67 -j TEE --gateway fc00::1 --A logaccept-67 -j ACCEPT --A logaccept-68 -j TEE --gateway fc00::2 --A logaccept-68 -j ACCEPT --A logaccept-69 -j ACCEPT -A logaccept-7 -j TEE --gateway fc00::2 -A logaccept-7 -j ACCEPT -A logaccept-8 -j ACCEPT @@ -116296,16 +115882,6 @@ COMMIT -A logdrop-1649 -j DROP -A logdrop-165 -j TEE --gateway fc00::2 -A logdrop-165 -j DROP --A logdrop-1650 -m limit --limit 1/second -j LOG --A logdrop-1650 -j DROP --A logdrop-1651 -m limit --limit 1/second -j LOG --A logdrop-1651 -j DROP --A logdrop-1652 -j LOG --A logdrop-1652 -j TEE --gateway fc00::1 --A logdrop-1652 -j DROP --A logdrop-1653 -j TEE --gateway fc00::2 --A logdrop-1653 -j DROP --A logdrop-1654 -j DROP -A logdrop-166 -j TEE --gateway fc00::2 -A logdrop-166 -j DROP -A logdrop-167 -j TEE --gateway fc00::2 @@ -118806,10 +118382,6 @@ COMMIT -A logdrop-ntp-98 -j DROP -A logdrop-ntp-99 -m limit --limit 1/second -j LOG -A logdrop-ntp-99 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/filter-limit/rules-save b/test/output/filter-limit/rules-save index f8c1296..059e448 100644 --- a/test/output/filter-limit/rules-save +++ b/test/output/filter-limit/rules-save @@ -3811,10 +3811,6 @@ :logaccept-63 - [0:0] :logaccept-64 - [0:0] :logaccept-65 - [0:0] -:logaccept-66 - [0:0] -:logaccept-67 - [0:0] -:logaccept-68 - [0:0] -:logaccept-69 - [0:0] :logaccept-7 - [0:0] :logaccept-8 - [0:0] :logaccept-9 - [0:0] @@ -4882,11 +4878,6 @@ :logdrop-1648 - [0:0] :logdrop-1649 - [0:0] :logdrop-165 - [0:0] -:logdrop-1650 - [0:0] -:logdrop-1651 - [0:0] -:logdrop-1652 - [0:0] -:logdrop-1653 - [0:0] -:logdrop-1654 - [0:0] :logdrop-166 - [0:0] :logdrop-167 - [0:0] :logdrop-168 - [0:0] @@ -6362,10 +6353,6 @@ :logdrop-ntp-97 - [0:0] :logdrop-ntp-98 - [0:0] :logdrop-ntp-99 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m recent --name user:B --rdest --mask 255.255.255.255 --set -A FORWARD -m recent --name user:B --rsource --mask 255.255.255.255 --set -A FORWARD -j limit-2927 @@ -8837,27 +8824,6 @@ -A FORWARD -m recent --name user:D --rsource --mask 255.255.252.0 --set -A FORWARD -m recent --name user:A --rsource --mask 255.255.255.255 --set -A FORWARD -m recent --name user:A --rdest --mask 255.255.255.255 --set --A FORWARD -j ACCEPT --A FORWARD -j logdrop-1650 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-66 --A FORWARD -j logdrop-1651 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-67 --A FORWARD -j logdrop-1652 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-68 --A FORWARD -j logdrop-1653 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-69 --A FORWARD -j logdrop-1654 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -11385,27 +11351,6 @@ -A INPUT -m recent --name user:D --rsource --mask 255.255.252.0 --set -A INPUT -m recent --name user:A --rsource --mask 255.255.255.255 --set -A INPUT -m recent --name user:A --rdest --mask 255.255.255.255 --set --A INPUT -j ACCEPT --A INPUT -j logdrop-1650 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-66 --A INPUT -j logdrop-1651 --A INPUT -j logpass-0 --A INPUT -j logaccept-67 --A INPUT -j logdrop-1652 --A INPUT -j logpass-1 --A INPUT -j logaccept-68 --A INPUT -j logdrop-1653 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-69 --A INPUT -j logdrop-1654 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing @@ -15367,27 +15312,6 @@ -A OUTPUT -m recent --name user:D --rsource --mask 255.255.252.0 --set -A OUTPUT -m recent --name user:A --rsource --mask 255.255.255.255 --set -A OUTPUT -m recent --name user:A --rdest --mask 255.255.255.255 --set --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-1650 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-66 --A OUTPUT -j logdrop-1651 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-67 --A OUTPUT -j logdrop-1652 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-68 --A OUTPUT -j logdrop-1653 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-69 --A OUTPUT -j logdrop-1654 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -24342,15 +24266,6 @@ -A logaccept-64 -j ACCEPT -A logaccept-65 -m limit --limit 12/minute -j ULOG -A logaccept-65 -j ACCEPT --A logaccept-66 -m limit --limit 1/second -j LOG --A logaccept-66 -j ACCEPT --A logaccept-67 -j LOG --A logaccept-67 -j ACCEPT --A logaccept-68 -j TEE --gateway 10.0.0.1 --A logaccept-68 -j TEE --gateway 10.0.0.2 --A logaccept-68 -j ACCEPT --A logaccept-69 -m limit --limit 12/minute -j ULOG --A logaccept-69 -j ACCEPT -A logaccept-7 -j TEE --gateway 10.0.0.1 -A logaccept-7 -j TEE --gateway 10.0.0.2 -A logaccept-7 -j ACCEPT @@ -26855,17 +26770,6 @@ -A logdrop-165 -j TEE --gateway 10.0.0.1 -A logdrop-165 -j TEE --gateway 10.0.0.2 -A logdrop-165 -j DROP --A logdrop-1650 -m limit --limit 1/second -j LOG --A logdrop-1650 -j DROP --A logdrop-1651 -m limit --limit 1/second -j LOG --A logdrop-1651 -j DROP --A logdrop-1652 -j LOG --A logdrop-1652 -j DROP --A logdrop-1653 -j TEE --gateway 10.0.0.1 --A logdrop-1653 -j TEE --gateway 10.0.0.2 --A logdrop-1653 -j DROP --A logdrop-1654 -m limit --limit 12/minute -j ULOG --A logdrop-1654 -j DROP -A logdrop-166 -j TEE --gateway 10.0.0.1 -A logdrop-166 -j TEE --gateway 10.0.0.2 -A logdrop-166 -j DROP @@ -30280,11 +30184,6 @@ -A logdrop-ntp-98 -j DROP -A logdrop-ntp-99 -m limit --limit 1/second -j LOG -A logdrop-ntp-99 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] diff --git a/test/output/filter-limit/rules6-save b/test/output/filter-limit/rules6-save index 9c55c12..d095677 100644 --- a/test/output/filter-limit/rules6-save +++ b/test/output/filter-limit/rules6-save @@ -3811,10 +3811,6 @@ :logaccept-63 - [0:0] :logaccept-64 - [0:0] :logaccept-65 - [0:0] -:logaccept-66 - [0:0] -:logaccept-67 - [0:0] -:logaccept-68 - [0:0] -:logaccept-69 - [0:0] :logaccept-7 - [0:0] :logaccept-8 - [0:0] :logaccept-9 - [0:0] @@ -4882,11 +4878,6 @@ :logdrop-1648 - [0:0] :logdrop-1649 - [0:0] :logdrop-165 - [0:0] -:logdrop-1650 - [0:0] -:logdrop-1651 - [0:0] -:logdrop-1652 - [0:0] -:logdrop-1653 - [0:0] -:logdrop-1654 - [0:0] :logdrop-166 - [0:0] :logdrop-167 - [0:0] :logdrop-168 - [0:0] @@ -6362,9 +6353,6 @@ :logdrop-ntp-97 - [0:0] :logdrop-ntp-98 - [0:0] :logdrop-ntp-99 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A FORWARD -m recent --name user:B --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A FORWARD -j limit-2927 @@ -8836,26 +8824,6 @@ -A FORWARD -m recent --name user:D --rsource --mask ffff:ffff:ffff:ffc0:: --set -A FORWARD -m recent --name user:A --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A FORWARD -m recent --name user:A --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set --A FORWARD -j ACCEPT --A FORWARD -j logdrop-1650 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-66 --A FORWARD -j logdrop-1651 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-67 --A FORWARD -j logdrop-1652 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-68 --A FORWARD -j logdrop-1653 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-69 --A FORWARD -j logdrop-1654 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -11357,26 +11325,6 @@ -A INPUT -m recent --name user:D --rsource --mask ffff:ffff:ffff:ffc0:: --set -A INPUT -m recent --name user:A --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A INPUT -m recent --name user:A --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set --A INPUT -j ACCEPT --A INPUT -j logdrop-1650 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-66 --A INPUT -j logdrop-1651 --A INPUT -j logpass-0 --A INPUT -j logaccept-67 --A INPUT -j logdrop-1652 --A INPUT -j logpass-1 --A INPUT -j logaccept-68 --A INPUT -j logdrop-1653 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-69 --A INPUT -j logdrop-1654 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT @@ -15339,26 +15287,6 @@ -A OUTPUT -m recent --name user:A --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A OUTPUT -m recent --name user:A --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-1650 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-66 --A OUTPUT -j logdrop-1651 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-67 --A OUTPUT -j logdrop-1652 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-68 --A OUTPUT -j logdrop-1653 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-69 --A OUTPUT -j logdrop-1654 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT @@ -22900,14 +22828,6 @@ -A logaccept-64 -j TEE --gateway fc00::2 -A logaccept-64 -j ACCEPT -A logaccept-65 -j ACCEPT --A logaccept-66 -m limit --limit 1/second -j LOG --A logaccept-66 -j ACCEPT --A logaccept-67 -j LOG --A logaccept-67 -j TEE --gateway fc00::1 --A logaccept-67 -j ACCEPT --A logaccept-68 -j TEE --gateway fc00::2 --A logaccept-68 -j ACCEPT --A logaccept-69 -j ACCEPT -A logaccept-7 -j TEE --gateway fc00::2 -A logaccept-7 -j ACCEPT -A logaccept-8 -j ACCEPT @@ -24658,16 +24578,6 @@ -A logdrop-1649 -j DROP -A logdrop-165 -j TEE --gateway fc00::2 -A logdrop-165 -j DROP --A logdrop-1650 -m limit --limit 1/second -j LOG --A logdrop-1650 -j DROP --A logdrop-1651 -m limit --limit 1/second -j LOG --A logdrop-1651 -j DROP --A logdrop-1652 -j LOG --A logdrop-1652 -j TEE --gateway fc00::1 --A logdrop-1652 -j DROP --A logdrop-1653 -j TEE --gateway fc00::2 --A logdrop-1653 -j DROP --A logdrop-1654 -j DROP -A logdrop-166 -j TEE --gateway fc00::2 -A logdrop-166 -j DROP -A logdrop-167 -j TEE --gateway fc00::2 @@ -27168,10 +27078,6 @@ -A logdrop-ntp-98 -j DROP -A logdrop-ntp-99 -m limit --limit 1/second -j LOG -A logdrop-ntp-99 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/filter-log/dump b/test/output/filter-log/dump new file mode 100644 index 0000000..1f1e585 --- /dev/null +++ b/test/output/filter-log/dump @@ -0,0 +1,1056 @@ +Custom foo [{"family":"inet6","match":"-m hl --hl-lt 7","target":"REJECT --reject-with icmpv6-no-route"},{"target":"LED --led-trigger-id foo"}] +(custom-chain) + + +Dnat 1 {"in":["_fw","A"]} +(zone) + inet/nat/OUTPUT -j REDIRECT + inet/nat/PREROUTING -i eth0 -j REDIRECT + +Dnat 2 {"in":"B"} +(zone) + inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT + + +Filter 1 {} +(filter-log) + inet/filter/FORWARD -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/FORWARD -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 2 {"action":"drop"} +(filter-log) + inet/filter/FORWARD -j logdrop-0 + inet/filter/INPUT -j logdrop-0 + inet/filter/OUTPUT -j logdrop-0 + inet/filter/logdrop-0 -m limit --limit 1/second -j LOG + inet/filter/logdrop-0 -j DROP + inet6/filter/FORWARD -j logdrop-0 + inet6/filter/INPUT -j logdrop-0 + inet6/filter/OUTPUT -j logdrop-0 + inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-0 -j DROP + +Filter 3 {"action":"pass"} +(filter-log) + inet/filter/FORWARD + inet/filter/INPUT + inet/filter/OUTPUT + inet6/filter/FORWARD + inet6/filter/INPUT + inet6/filter/OUTPUT + +Filter 4 {"log":false} +(filter-log) + inet/filter/FORWARD -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/FORWARD -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 5 {"action":"drop","log":false} +(filter-log) + inet/filter/FORWARD -j DROP + inet/filter/INPUT -j DROP + inet/filter/OUTPUT -j DROP + inet6/filter/FORWARD -j DROP + inet6/filter/INPUT -j DROP + inet6/filter/OUTPUT -j DROP + +Filter 6 {"action":"pass","log":false} +(filter-log) + inet/filter/FORWARD + inet/filter/INPUT + inet/filter/OUTPUT + inet6/filter/FORWARD + inet6/filter/INPUT + inet6/filter/OUTPUT + +Filter 7 {"log":true} +(filter-log) + inet/filter/FORWARD -j logaccept-0 + inet/filter/INPUT -j logaccept-0 + inet/filter/OUTPUT -j logaccept-0 + inet/filter/logaccept-0 -m limit --limit 1/second -j LOG + inet/filter/logaccept-0 -j ACCEPT + inet6/filter/FORWARD -j logaccept-0 + inet6/filter/INPUT -j logaccept-0 + inet6/filter/OUTPUT -j logaccept-0 + inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG + inet6/filter/logaccept-0 -j ACCEPT + +Filter 8 {"action":"drop","log":true} +(filter-log) + inet/filter/FORWARD -j logdrop-1 + inet/filter/INPUT -j logdrop-1 + inet/filter/OUTPUT -j logdrop-1 + inet/filter/logdrop-1 -m limit --limit 1/second -j LOG + inet/filter/logdrop-1 -j DROP + inet6/filter/FORWARD -j logdrop-1 + inet6/filter/INPUT -j logdrop-1 + inet6/filter/OUTPUT -j logdrop-1 + inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-1 -j DROP + +Filter 9 {"action":"pass","log":true} +(filter-log) + inet/filter/FORWARD -j logpass-0 + inet/filter/INPUT -j logpass-0 + inet/filter/OUTPUT -j logpass-0 + inet/filter/logpass-0 -m limit --limit 1/second -j LOG + inet6/filter/FORWARD -j logpass-0 + inet6/filter/INPUT -j logpass-0 + inet6/filter/OUTPUT -j logpass-0 + inet6/filter/logpass-0 -m limit --limit 1/second -j LOG + +Filter 10 {"log":"dual"} +(filter-log) + inet/filter/FORWARD -j logaccept-1 + inet/filter/INPUT -j logaccept-1 + inet/filter/OUTPUT -j logaccept-1 + inet/filter/logaccept-1 -j LOG + inet/filter/logaccept-1 -j ACCEPT + inet6/filter/FORWARD -j logaccept-1 + inet6/filter/INPUT -j logaccept-1 + inet6/filter/OUTPUT -j logaccept-1 + inet6/filter/logaccept-1 -j LOG + inet6/filter/logaccept-1 -j TEE --gateway fc00::1 + inet6/filter/logaccept-1 -j ACCEPT + +Filter 11 {"action":"drop","log":"dual"} +(filter-log) + inet/filter/FORWARD -j logdrop-2 + inet/filter/INPUT -j logdrop-2 + inet/filter/OUTPUT -j logdrop-2 + inet/filter/logdrop-2 -j LOG + inet/filter/logdrop-2 -j DROP + inet6/filter/FORWARD -j logdrop-2 + inet6/filter/INPUT -j logdrop-2 + inet6/filter/OUTPUT -j logdrop-2 + inet6/filter/logdrop-2 -j LOG + inet6/filter/logdrop-2 -j TEE --gateway fc00::1 + inet6/filter/logdrop-2 -j DROP + +Filter 12 {"action":"pass","log":"dual"} +(filter-log) + inet/filter/FORWARD -j logpass-1 + inet/filter/INPUT -j logpass-1 + inet/filter/OUTPUT -j logpass-1 + inet/filter/logpass-1 -j LOG + inet6/filter/FORWARD -j logpass-1 + inet6/filter/INPUT -j logpass-1 + inet6/filter/OUTPUT -j logpass-1 + inet6/filter/logpass-1 -j LOG + inet6/filter/logpass-1 -j TEE --gateway fc00::1 + +Filter 13 {"log":"mirror"} +(filter-log) + inet/filter/FORWARD -j logaccept-2 + inet/filter/INPUT -j logaccept-2 + inet/filter/OUTPUT -j logaccept-2 + inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1 + inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2 + inet/filter/logaccept-2 -j ACCEPT + inet6/filter/FORWARD -j logaccept-2 + inet6/filter/INPUT -j logaccept-2 + inet6/filter/OUTPUT -j logaccept-2 + inet6/filter/logaccept-2 -j TEE --gateway fc00::2 + inet6/filter/logaccept-2 -j ACCEPT + +Filter 14 {"action":"drop","log":"mirror"} +(filter-log) + inet/filter/FORWARD -j logdrop-3 + inet/filter/INPUT -j logdrop-3 + inet/filter/OUTPUT -j logdrop-3 + inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1 + inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2 + inet/filter/logdrop-3 -j DROP + inet6/filter/FORWARD -j logdrop-3 + inet6/filter/INPUT -j logdrop-3 + inet6/filter/OUTPUT -j logdrop-3 + inet6/filter/logdrop-3 -j TEE --gateway fc00::2 + inet6/filter/logdrop-3 -j DROP + +Filter 15 {"action":"pass","log":"mirror"} +(filter-log) + inet/filter/FORWARD -j logpass-2 + inet/filter/INPUT -j logpass-2 + inet/filter/OUTPUT -j logpass-2 + inet/filter/logpass-2 -j TEE --gateway 10.0.0.1 + inet/filter/logpass-2 -j TEE --gateway 10.0.0.2 + inet6/filter/FORWARD -j logpass-2 + inet6/filter/INPUT -j logpass-2 + inet6/filter/OUTPUT -j logpass-2 + inet6/filter/logpass-2 -j TEE --gateway fc00::2 + +Filter 16 {"log":"none"} +(filter-log) + inet/filter/FORWARD -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/FORWARD -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 17 {"action":"drop","log":"none"} +(filter-log) + inet/filter/FORWARD -j DROP + inet/filter/INPUT -j DROP + inet/filter/OUTPUT -j DROP + inet6/filter/FORWARD -j DROP + inet6/filter/INPUT -j DROP + inet6/filter/OUTPUT -j DROP + +Filter 18 {"action":"pass","log":"none"} +(filter-log) + inet/filter/FORWARD + inet/filter/INPUT + inet/filter/OUTPUT + inet6/filter/FORWARD + inet6/filter/INPUT + inet6/filter/OUTPUT + +Filter 19 {"log":"ulog"} +(filter-log) + inet/filter/FORWARD -j logaccept-3 + inet/filter/INPUT -j logaccept-3 + inet/filter/OUTPUT -j logaccept-3 + inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG + inet/filter/logaccept-3 -j ACCEPT + inet6/filter/FORWARD -j logaccept-3 + inet6/filter/INPUT -j logaccept-3 + inet6/filter/OUTPUT -j logaccept-3 + inet6/filter/logaccept-3 -j ACCEPT + +Filter 20 {"action":"drop","log":"ulog"} +(filter-log) + inet/filter/FORWARD -j logdrop-4 + inet/filter/INPUT -j logdrop-4 + inet/filter/OUTPUT -j logdrop-4 + inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG + inet/filter/logdrop-4 -j DROP + inet6/filter/FORWARD -j logdrop-4 + inet6/filter/INPUT -j logdrop-4 + inet6/filter/OUTPUT -j logdrop-4 + inet6/filter/logdrop-4 -j DROP + +Filter 21 {"action":"pass","log":"ulog"} +(filter-log) + inet/filter/FORWARD -j logpass-3 + inet/filter/INPUT -j logpass-3 + inet/filter/OUTPUT -j logpass-3 + inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG + +Filter 22 {"action":"pass","in":"_fw","log":"ulog"} +(log) + inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG + +Filter 23 {"in":["_fw","A"]} +(zone) + inet/filter/FORWARD -i eth0 -j ACCEPT + inet/filter/INPUT -i eth0 -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/FORWARD -i eth0 -j ACCEPT + inet6/filter/INPUT -i eth0 -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 24 {"in":"B","out":"C"} +(zone) + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + +Filter 25 {"out":["_fw","B"]} +(zone) + inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT + +Filter 26 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +(zone) + inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT + + +Ipset awall-masquerade {"family":"inet","type":"hash:net"} +(masquerade) + + +Limit B true +(limit) + +Limit C 7 +(limit) + +Limit D {"inet":22,"inet6":58} +(limit) + + +Log _default {"limit":1} +(defaults) + +Log dual {"mirror":"fc00::1","mode":"log"} +(log) + +Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]} +(log) + +Log nflog {"group":1,"mode":"nflog","range":128} +(log) + +Log none {"mode":"none"} +(log) + +Log ulog {"limit":{"interval":5},"mode":"ulog"} +(log) + + +Mark 1 {"in":["_fw","A"],"mark":1} +(zone) + inet/mangle/OUTPUT -j MARK --set-mark 1 + inet/mangle/PREROUTING -i eth0 -j MARK --set-mark 1 + inet6/mangle/OUTPUT -j MARK --set-mark 1 + inet6/mangle/PREROUTING -i eth0 -j MARK --set-mark 1 + +Mark 2 {"in":"B","mark":2,"out":"C"} +(zone) + inet/mangle/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 2 + inet/mangle/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 2 + +Mark 3 {"mark":3,"out":["_fw","B"]} +(zone) + inet/mangle/INPUT -j MARK --set-mark 3 + inet/mangle/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 3 + inet6/mangle/INPUT -j MARK --set-mark 3 + inet6/mangle/POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 3 + + +No-track 1 {"in":["_fw","A"]} +(zone) + inet/raw/OUTPUT -j CT --notrack + inet/raw/PREROUTING -i eth0 -j CT --notrack + inet6/raw/OUTPUT -j CT --notrack + inet6/raw/PREROUTING -i eth0 -j CT --notrack + +No-track 2 {"in":"B"} +(zone) + inet/raw/PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack + inet6/raw/PREROUTING -i eth1 -s fc00::/7 -j CT --notrack + +No-track 3 {"out":"_fw"} +(zone) + inet/raw/PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack + inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack + + +Packet-log 1 {"out":"_fw"} +(log) + inet/filter/INPUT -m limit --limit 1/second -j LOG + inet6/filter/INPUT -m limit --limit 1/second -j LOG + +Packet-log 2 {"log":"mirror","out":"_fw"} +(log) + inet/filter/INPUT -j TEE --gateway 10.0.0.1 + inet/filter/INPUT -j TEE --gateway 10.0.0.2 + inet6/filter/INPUT -j TEE --gateway fc00::2 + +Packet-log 3 {"log":"nflog","out":"_fw"} +(log) + inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128 + inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128 + +Packet-log 4 {"log":"ulog","out":"_fw"} +(log) + inet/filter/INPUT -m limit --limit 12/minute -j ULOG + + +Service babel {"port":6697,"proto":"tcp"} +(services) + +Service bacula-dir {"port":9101,"proto":"tcp"} +(services) + +Service bacula-fd {"port":9102,"proto":"tcp"} +(services) + +Service bacula-sd {"port":9103,"proto":"tcp"} +(services) + +Service bgp {"port":179,"proto":"tcp"} +(services) + +Service dhcp {"family":"inet","port":[67,68],"proto":"udp"} +(services) + +Service discard [{"port":9,"proto":"tcp"},{"port":9,"proto":"udp"}] +(services) + +Service dns [{"port":53,"proto":"tcp"},{"port":53,"proto":"udp"}] +(services) + +Service epmap [{"port":135,"proto":"tcp"},{"port":135,"proto":"udp"}] +(services) + +Service ftp {"ct-helper":"ftp","port":21,"proto":"tcp"} +(services) + +Service gre {"proto":"gre"} +(services) + +Service hp-pdl {"port":9100,"proto":"tcp"} +(services) + +Service http {"port":80,"proto":"tcp"} +(services) + +Service http-alt {"port":8080,"proto":"tcp"} +(services) + +Service https {"port":443,"proto":"tcp"} +(services) + +Service icmp {"proto":"icmp"} +(services) + +Service igmp {"proto":"igmp"} +(services) + +Service imap {"port":143,"proto":"tcp"} +(services) + +Service imaps {"port":993,"proto":"tcp"} +(services) + +Service ipsec [{"proto":"esp"},{"port":[500,4500],"proto":"udp"}] +(services) + +Service irc {"ct-helper":"irc","port":6667,"proto":"tcp"} +(services) + +Service kerberos [{"port":88,"proto":"tcp"},{"port":88,"proto":"udp"}] +(services) + +Service kpasswd [{"port":464,"proto":"tcp"},{"port":464,"proto":"udp"}] +(services) + +Service l2tp {"port":1701,"proto":"udp"} +(services) + +Service ldap [{"port":389,"proto":"tcp"},{"port":389,"proto":"udp"}] +(services) + +Service ldaps [{"port":636,"proto":"tcp"},{"port":636,"proto":"udp"}] +(services) + +Service microsoft-ds [{"port":445,"proto":"tcp"},{"port":445,"proto":"udp"}] +(services) + +Service mqtt {"port":1883,"proto":"tcp"} +(services) + +Service mqtt-sn {"port":1883,"proto":"udp"} +(services) + +Service mqtt-ws {"port":8083,"proto":"tcp"} +(services) + +Service ms-sql-m {"port":1434,"proto":"tcp"} +(services) + +Service ms-sql-s {"port":1433,"proto":"tcp"} +(services) + +Service msft-gc [{"port":3268,"proto":"tcp"},{"port":3268,"proto":"udp"}] +(services) + +Service msft-gc-ssl [{"port":3269,"proto":"tcp"},{"port":3269,"proto":"udp"}] +(services) + +Service netbios-ds [{"port":138,"proto":"tcp"},{"port":138,"proto":"udp"}] +(services) + +Service netbios-ns [{"family":"inet","port":137,"proto":"tcp"},{"ct-helper":"netbios-ns","family":"inet","port":137,"proto":"udp"}] +(services) + +Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}] +(services) + +Service ntp {"port":123,"proto":"udp"} +(services) + +Service openvpn {"port":1194,"proto":"udp"} +(services) + +Service ospf {"proto":"ospf"} +(services) + +Service pgsql {"port":5432,"proto":"tcp"} +(services) + +Service ping [{"proto":"icmp","reply-type":0,"type":8},{"proto":"icmpv6","reply-type":129,"type":128}] +(services) + +Service pop3 {"port":110,"proto":"tcp"} +(services) + +Service pop3s {"port":995,"proto":"tcp"} +(services) + +Service radius [{"port":1812,"proto":"tcp"},{"port":1812,"proto":"udp"}] +(services) + +Service radius-acct [{"port":1813,"proto":"tcp"},{"port":1813,"proto":"udp"}] +(services) + +Service rdp {"port":3389,"proto":"tcp"} +(services) + +Service rsync {"port":873,"proto":"tcp"} +(services) + +Service rtmp {"port":1935,"proto":"tcp"} +(services) + +Service rtsp {"port":554,"proto":"tcp"} +(services) + +Service secure-mqtt {"port":8883,"proto":"tcp"} +(services) + +Service sieve {"port":4190,"proto":"tcp"} +(services) + +Service sip [{"ct-helper":"sip","port":5060,"proto":"tcp"},{"ct-helper":"sip","port":5060,"proto":"udp"}] +(services) + +Service sip-tls [{"port":5061,"proto":"tcp"},{"port":5061,"proto":"udp"}] +(services) + +Service smtp {"port":25,"proto":"tcp"} +(services) + +Service snmp {"port":161,"proto":"udp"} +(services) + +Service snmp-trap {"port":162,"proto":"udp"} +(services) + +Service ssh {"port":22,"proto":"tcp"} +(services) + +Service submission {"port":587,"proto":"tcp"} +(services) + +Service syslog {"port":514,"proto":"udp"} +(services) + +Service telnet {"port":23,"proto":"tcp"} +(services) + +Service teredo {"port":3544,"proto":"udp"} +(services) + +Service tftp {"port":69,"proto":"udp"} +(services) + +Service tinc [{"port":655,"proto":"tcp"},{"port":655,"proto":"udp"}] +(services) + +Service vnc {"port":5900,"proto":"tcp"} +(services) + +Service zabbix-agent {"port":10050,"proto":"tcp"} +(services) + +Service zabbix-trapper {"port":10051,"proto":"tcp"} +(services) + + +Snat 1 {"out":"A"} +(zone) + inet/nat/POSTROUTING -o eth0 -j MASQUERADE + +Snat 2 {"out":["_fw","B"],"to-addr":"10.1.2.3"} +(zone) + inet/nat/INPUT -j SNAT --to-source 10.1.2.3 + inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j SNAT --to-source 10.1.2.3 + + +Variable awall_dedicated_chains false +(defaults) + +Variable awall_tproxy_mark 1 +(defaults) + + +Zone A {"iface":"eth0"} +(zone) + +Zone B {"addr":["10.0.0.0\/12","fc00::\/7"],"iface":"eth1"} +(zone) + +Zone C {"addr":"10.1.0.0\/12","iface":["eth2","eth3"]} +(zone) + +Zone D {"iface":["eth4","eth5"],"route-back":true} +(zone) + +Zone E {"ipsec":true} +(zone) + + +# ipset awall-masquerade +hash:net family inet + + +# rules-save generated by awall +*filter +:FORWARD DROP [0:0] +:INPUT DROP [0:0] +:OUTPUT DROP [0:0] +:icmp-routing - [0:0] +:logaccept-0 - [0:0] +:logaccept-1 - [0:0] +:logaccept-2 - [0:0] +:logaccept-3 - [0:0] +:logdrop-0 - [0:0] +:logdrop-1 - [0:0] +:logdrop-2 - [0:0] +:logdrop-3 - [0:0] +:logdrop-4 - [0:0] +:logpass-0 - [0:0] +:logpass-1 - [0:0] +:logpass-2 - [0:0] +:logpass-3 - [0:0] +-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A FORWARD -j ACCEPT +-A FORWARD -j logdrop-0 +-A FORWARD +-A FORWARD -j ACCEPT +-A FORWARD -j DROP +-A FORWARD +-A FORWARD -j logaccept-0 +-A FORWARD -j logdrop-1 +-A FORWARD -j logpass-0 +-A FORWARD -j logaccept-1 +-A FORWARD -j logdrop-2 +-A FORWARD -j logpass-1 +-A FORWARD -j logaccept-2 +-A FORWARD -j logdrop-3 +-A FORWARD -j logpass-2 +-A FORWARD -j ACCEPT +-A FORWARD -j DROP +-A FORWARD +-A FORWARD -j logaccept-3 +-A FORWARD -j logdrop-4 +-A FORWARD -j logpass-3 +-A FORWARD -i eth0 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth4 -j ACCEPT +-A FORWARD -i eth0 -o eth5 -j ACCEPT +-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth4 -o eth0 -j ACCEPT +-A FORWARD -i eth5 -o eth0 -j ACCEPT +-A FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth4 -o eth4 -j ACCEPT +-A FORWARD -i eth4 -o eth5 -j ACCEPT +-A FORWARD -i eth5 -o eth4 -j ACCEPT +-A FORWARD -i eth5 -o eth5 -j ACCEPT +-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -p icmp -j icmp-routing +-A INPUT -m limit --limit 12/minute -j ULOG +-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128 +-A INPUT -j TEE --gateway 10.0.0.2 +-A INPUT -j TEE --gateway 10.0.0.1 +-A INPUT -m limit --limit 1/second -j LOG +-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -j logdrop-0 +-A INPUT +-A INPUT -j ACCEPT +-A INPUT -j DROP +-A INPUT +-A INPUT -j logaccept-0 +-A INPUT -j logdrop-1 +-A INPUT -j logpass-0 +-A INPUT -j logaccept-1 +-A INPUT -j logdrop-2 +-A INPUT -j logpass-1 +-A INPUT -j logaccept-2 +-A INPUT -j logdrop-3 +-A INPUT -j logpass-2 +-A INPUT -j ACCEPT +-A INPUT -j DROP +-A INPUT +-A INPUT -j logaccept-3 +-A INPUT -j logdrop-4 +-A INPUT -j logpass-3 +-A INPUT -i eth0 -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -p icmp -j icmp-routing +-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -o lo -j ACCEPT +-A OUTPUT -j ACCEPT +-A OUTPUT -j logdrop-0 +-A OUTPUT +-A OUTPUT -j ACCEPT +-A OUTPUT -j DROP +-A OUTPUT +-A OUTPUT -j logaccept-0 +-A OUTPUT -j logdrop-1 +-A OUTPUT -j logpass-0 +-A OUTPUT -j logaccept-1 +-A OUTPUT -j logdrop-2 +-A OUTPUT -j logpass-1 +-A OUTPUT -j logaccept-2 +-A OUTPUT -j logdrop-3 +-A OUTPUT -j logpass-2 +-A OUTPUT -j ACCEPT +-A OUTPUT -j DROP +-A OUTPUT +-A OUTPUT -j logaccept-3 +-A OUTPUT -j logdrop-4 +-A OUTPUT -j logpass-3 +-A OUTPUT -m limit --limit 12/minute -j ULOG +-A OUTPUT -j ACCEPT +-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A OUTPUT -p icmp -j icmp-routing +-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT +-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT +-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT +-A logaccept-0 -m limit --limit 1/second -j LOG +-A logaccept-0 -j ACCEPT +-A logaccept-1 -j LOG +-A logaccept-1 -j ACCEPT +-A logaccept-2 -j TEE --gateway 10.0.0.1 +-A logaccept-2 -j TEE --gateway 10.0.0.2 +-A logaccept-2 -j ACCEPT +-A logaccept-3 -m limit --limit 12/minute -j ULOG +-A logaccept-3 -j ACCEPT +-A logdrop-0 -m limit --limit 1/second -j LOG +-A logdrop-0 -j DROP +-A logdrop-1 -m limit --limit 1/second -j LOG +-A logdrop-1 -j DROP +-A logdrop-2 -j LOG +-A logdrop-2 -j DROP +-A logdrop-3 -j TEE --gateway 10.0.0.1 +-A logdrop-3 -j TEE --gateway 10.0.0.2 +-A logdrop-3 -j DROP +-A logdrop-4 -m limit --limit 12/minute -j ULOG +-A logdrop-4 -j DROP +-A logpass-0 -m limit --limit 1/second -j LOG +-A logpass-1 -j LOG +-A logpass-2 -j TEE --gateway 10.0.0.1 +-A logpass-2 -j TEE --gateway 10.0.0.2 +-A logpass-3 -m limit --limit 12/minute -j ULOG +COMMIT +*mangle +:FORWARD ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 2 +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 2 +-A INPUT -j MARK --set-mark 3 +-A OUTPUT -j MARK --set-mark 1 +-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 3 +-A PREROUTING -i eth0 -j MARK --set-mark 1 +COMMIT +*nat +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +:masquerade - [0:0] +-A INPUT -j SNAT --to-source 10.1.2.3 +-A OUTPUT -j REDIRECT +-A POSTROUTING -o eth0 -j MASQUERADE +-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j SNAT --to-source 10.1.2.3 +-A POSTROUTING -m set --match-set awall-masquerade src -j masquerade +-A PREROUTING -i eth0 -j REDIRECT +-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT +-A masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE +COMMIT +*raw +:OUTPUT ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A OUTPUT -j CT --notrack +-A PREROUTING -i eth0 -j CT --notrack +-A PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack +-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack +COMMIT + +# rules6-save generated by awall +*filter +:FORWARD DROP [0:0] +:INPUT DROP [0:0] +:OUTPUT DROP [0:0] +:icmp-routing - [0:0] +:logaccept-0 - [0:0] +:logaccept-1 - [0:0] +:logaccept-2 - [0:0] +:logaccept-3 - [0:0] +:logdrop-0 - [0:0] +:logdrop-1 - [0:0] +:logdrop-2 - [0:0] +:logdrop-3 - [0:0] +:logdrop-4 - [0:0] +:logpass-0 - [0:0] +:logpass-1 - [0:0] +:logpass-2 - [0:0] +-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A FORWARD -j ACCEPT +-A FORWARD -j logdrop-0 +-A FORWARD +-A FORWARD -j ACCEPT +-A FORWARD -j DROP +-A FORWARD +-A FORWARD -j logaccept-0 +-A FORWARD -j logdrop-1 +-A FORWARD -j logpass-0 +-A FORWARD -j logaccept-1 +-A FORWARD -j logdrop-2 +-A FORWARD -j logpass-1 +-A FORWARD -j logaccept-2 +-A FORWARD -j logdrop-3 +-A FORWARD -j logpass-2 +-A FORWARD -j ACCEPT +-A FORWARD -j DROP +-A FORWARD +-A FORWARD -j logaccept-3 +-A FORWARD -j logdrop-4 +-A FORWARD -i eth0 -j ACCEPT +-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth0 -o eth4 -j ACCEPT +-A FORWARD -i eth0 -o eth5 -j ACCEPT +-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth4 -o eth0 -j ACCEPT +-A FORWARD -i eth5 -o eth0 -j ACCEPT +-A FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth4 -o eth4 -j ACCEPT +-A FORWARD -i eth4 -o eth5 -j ACCEPT +-A FORWARD -i eth5 -o eth4 -j ACCEPT +-A FORWARD -i eth5 -o eth5 -j ACCEPT +-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -p icmpv6 -j icmp-routing +-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128 +-A INPUT -j TEE --gateway fc00::2 +-A INPUT -m limit --limit 1/second -j LOG +-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -j logdrop-0 +-A INPUT +-A INPUT -j ACCEPT +-A INPUT -j DROP +-A INPUT +-A INPUT -j logaccept-0 +-A INPUT -j logdrop-1 +-A INPUT -j logpass-0 +-A INPUT -j logaccept-1 +-A INPUT -j logdrop-2 +-A INPUT -j logpass-1 +-A INPUT -j logaccept-2 +-A INPUT -j logdrop-3 +-A INPUT -j logpass-2 +-A INPUT -j ACCEPT +-A INPUT -j DROP +-A INPUT +-A INPUT -j logaccept-3 +-A INPUT -j logdrop-4 +-A INPUT -i eth0 -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -p icmpv6 -j ACCEPT +-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -o lo -j ACCEPT +-A OUTPUT -j ACCEPT +-A OUTPUT -j logdrop-0 +-A OUTPUT +-A OUTPUT -j ACCEPT +-A OUTPUT -j DROP +-A OUTPUT +-A OUTPUT -j logaccept-0 +-A OUTPUT -j logdrop-1 +-A OUTPUT -j logpass-0 +-A OUTPUT -j logaccept-1 +-A OUTPUT -j logdrop-2 +-A OUTPUT -j logpass-1 +-A OUTPUT -j logaccept-2 +-A OUTPUT -j logdrop-3 +-A OUTPUT -j logpass-2 +-A OUTPUT -j ACCEPT +-A OUTPUT -j DROP +-A OUTPUT +-A OUTPUT -j logaccept-3 +-A OUTPUT -j logdrop-4 +-A OUTPUT -j ACCEPT +-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT +-A OUTPUT -p icmpv6 -j ACCEPT +-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT +-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT +-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT +-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT +-A logaccept-0 -m limit --limit 1/second -j LOG +-A logaccept-0 -j ACCEPT +-A logaccept-1 -j LOG +-A logaccept-1 -j TEE --gateway fc00::1 +-A logaccept-1 -j ACCEPT +-A logaccept-2 -j TEE --gateway fc00::2 +-A logaccept-2 -j ACCEPT +-A logaccept-3 -j ACCEPT +-A logdrop-0 -m limit --limit 1/second -j LOG +-A logdrop-0 -j DROP +-A logdrop-1 -m limit --limit 1/second -j LOG +-A logdrop-1 -j DROP +-A logdrop-2 -j LOG +-A logdrop-2 -j TEE --gateway fc00::1 +-A logdrop-2 -j DROP +-A logdrop-3 -j TEE --gateway fc00::2 +-A logdrop-3 -j DROP +-A logdrop-4 -j DROP +-A logpass-0 -m limit --limit 1/second -j LOG +-A logpass-1 -j LOG +-A logpass-1 -j TEE --gateway fc00::1 +-A logpass-2 -j TEE --gateway fc00::2 +COMMIT +*mangle +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A INPUT -j MARK --set-mark 3 +-A OUTPUT -j MARK --set-mark 1 +-A POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 3 +-A PREROUTING -i eth0 -j MARK --set-mark 1 +COMMIT +*raw +:OUTPUT ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A OUTPUT -j CT --notrack +-A PREROUTING -i eth0 -j CT --notrack +-A PREROUTING -i eth1 -s fc00::/7 -j CT --notrack +-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack +COMMIT + diff --git a/test/output/filter-log/ipset-awall-masquerade b/test/output/filter-log/ipset-awall-masquerade new file mode 100644 index 0000000..b3a47fd --- /dev/null +++ b/test/output/filter-log/ipset-awall-masquerade @@ -0,0 +1,2 @@ +# ipset awall-masquerade +hash:net family inet diff --git a/test/output/filter-log/rules-save b/test/output/filter-log/rules-save new file mode 100644 index 0000000..295fc45 --- /dev/null +++ b/test/output/filter-log/rules-save @@ -0,0 +1,214 @@ +# rules-save generated by awall +*filter +:FORWARD DROP [0:0] +:INPUT DROP [0:0] +:OUTPUT DROP [0:0] +:icmp-routing - [0:0] +:logaccept-0 - [0:0] +:logaccept-1 - [0:0] +:logaccept-2 - [0:0] +:logaccept-3 - [0:0] +:logdrop-0 - [0:0] +:logdrop-1 - [0:0] +:logdrop-2 - [0:0] +:logdrop-3 - [0:0] +:logdrop-4 - [0:0] +:logpass-0 - [0:0] +:logpass-1 - [0:0] +:logpass-2 - [0:0] +:logpass-3 - [0:0] +-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A FORWARD -j ACCEPT +-A FORWARD -j logdrop-0 +-A FORWARD +-A FORWARD -j ACCEPT +-A FORWARD -j DROP +-A FORWARD +-A FORWARD -j logaccept-0 +-A FORWARD -j logdrop-1 +-A FORWARD -j logpass-0 +-A FORWARD -j logaccept-1 +-A FORWARD -j logdrop-2 +-A FORWARD -j logpass-1 +-A FORWARD -j logaccept-2 +-A FORWARD -j logdrop-3 +-A FORWARD -j logpass-2 +-A FORWARD -j ACCEPT +-A FORWARD -j DROP +-A FORWARD +-A FORWARD -j logaccept-3 +-A FORWARD -j logdrop-4 +-A FORWARD -j logpass-3 +-A FORWARD -i eth0 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth4 -j ACCEPT +-A FORWARD -i eth0 -o eth5 -j ACCEPT +-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth4 -o eth0 -j ACCEPT +-A FORWARD -i eth5 -o eth0 -j ACCEPT +-A FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth4 -o eth4 -j ACCEPT +-A FORWARD -i eth4 -o eth5 -j ACCEPT +-A FORWARD -i eth5 -o eth4 -j ACCEPT +-A FORWARD -i eth5 -o eth5 -j ACCEPT +-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -p icmp -j icmp-routing +-A INPUT -m limit --limit 12/minute -j ULOG +-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128 +-A INPUT -j TEE --gateway 10.0.0.2 +-A INPUT -j TEE --gateway 10.0.0.1 +-A INPUT -m limit --limit 1/second -j LOG +-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -j logdrop-0 +-A INPUT +-A INPUT -j ACCEPT +-A INPUT -j DROP +-A INPUT +-A INPUT -j logaccept-0 +-A INPUT -j logdrop-1 +-A INPUT -j logpass-0 +-A INPUT -j logaccept-1 +-A INPUT -j logdrop-2 +-A INPUT -j logpass-1 +-A INPUT -j logaccept-2 +-A INPUT -j logdrop-3 +-A INPUT -j logpass-2 +-A INPUT -j ACCEPT +-A INPUT -j DROP +-A INPUT +-A INPUT -j logaccept-3 +-A INPUT -j logdrop-4 +-A INPUT -j logpass-3 +-A INPUT -i eth0 -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -p icmp -j icmp-routing +-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -o lo -j ACCEPT +-A OUTPUT -j ACCEPT +-A OUTPUT -j logdrop-0 +-A OUTPUT +-A OUTPUT -j ACCEPT +-A OUTPUT -j DROP +-A OUTPUT +-A OUTPUT -j logaccept-0 +-A OUTPUT -j logdrop-1 +-A OUTPUT -j logpass-0 +-A OUTPUT -j logaccept-1 +-A OUTPUT -j logdrop-2 +-A OUTPUT -j logpass-1 +-A OUTPUT -j logaccept-2 +-A OUTPUT -j logdrop-3 +-A OUTPUT -j logpass-2 +-A OUTPUT -j ACCEPT +-A OUTPUT -j DROP +-A OUTPUT +-A OUTPUT -j logaccept-3 +-A OUTPUT -j logdrop-4 +-A OUTPUT -j logpass-3 +-A OUTPUT -m limit --limit 12/minute -j ULOG +-A OUTPUT -j ACCEPT +-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A OUTPUT -p icmp -j icmp-routing +-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT +-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT +-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT +-A logaccept-0 -m limit --limit 1/second -j LOG +-A logaccept-0 -j ACCEPT +-A logaccept-1 -j LOG +-A logaccept-1 -j ACCEPT +-A logaccept-2 -j TEE --gateway 10.0.0.1 +-A logaccept-2 -j TEE --gateway 10.0.0.2 +-A logaccept-2 -j ACCEPT +-A logaccept-3 -m limit --limit 12/minute -j ULOG +-A logaccept-3 -j ACCEPT +-A logdrop-0 -m limit --limit 1/second -j LOG +-A logdrop-0 -j DROP +-A logdrop-1 -m limit --limit 1/second -j LOG +-A logdrop-1 -j DROP +-A logdrop-2 -j LOG +-A logdrop-2 -j DROP +-A logdrop-3 -j TEE --gateway 10.0.0.1 +-A logdrop-3 -j TEE --gateway 10.0.0.2 +-A logdrop-3 -j DROP +-A logdrop-4 -m limit --limit 12/minute -j ULOG +-A logdrop-4 -j DROP +-A logpass-0 -m limit --limit 1/second -j LOG +-A logpass-1 -j LOG +-A logpass-2 -j TEE --gateway 10.0.0.1 +-A logpass-2 -j TEE --gateway 10.0.0.2 +-A logpass-3 -m limit --limit 12/minute -j ULOG +COMMIT +*mangle +:FORWARD ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 2 +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 2 +-A INPUT -j MARK --set-mark 3 +-A OUTPUT -j MARK --set-mark 1 +-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 3 +-A PREROUTING -i eth0 -j MARK --set-mark 1 +COMMIT +*nat +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +:masquerade - [0:0] +-A INPUT -j SNAT --to-source 10.1.2.3 +-A OUTPUT -j REDIRECT +-A POSTROUTING -o eth0 -j MASQUERADE +-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j SNAT --to-source 10.1.2.3 +-A POSTROUTING -m set --match-set awall-masquerade src -j masquerade +-A PREROUTING -i eth0 -j REDIRECT +-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT +-A masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE +COMMIT +*raw +:OUTPUT ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A OUTPUT -j CT --notrack +-A PREROUTING -i eth0 -j CT --notrack +-A PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack +-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack +COMMIT diff --git a/test/output/filter-log/rules6-save b/test/output/filter-log/rules6-save new file mode 100644 index 0000000..d4e6291 --- /dev/null +++ b/test/output/filter-log/rules6-save @@ -0,0 +1,163 @@ +# rules6-save generated by awall +*filter +:FORWARD DROP [0:0] +:INPUT DROP [0:0] +:OUTPUT DROP [0:0] +:icmp-routing - [0:0] +:logaccept-0 - [0:0] +:logaccept-1 - [0:0] +:logaccept-2 - [0:0] +:logaccept-3 - [0:0] +:logdrop-0 - [0:0] +:logdrop-1 - [0:0] +:logdrop-2 - [0:0] +:logdrop-3 - [0:0] +:logdrop-4 - [0:0] +:logpass-0 - [0:0] +:logpass-1 - [0:0] +:logpass-2 - [0:0] +-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A FORWARD -j ACCEPT +-A FORWARD -j logdrop-0 +-A FORWARD +-A FORWARD -j ACCEPT +-A FORWARD -j DROP +-A FORWARD +-A FORWARD -j logaccept-0 +-A FORWARD -j logdrop-1 +-A FORWARD -j logpass-0 +-A FORWARD -j logaccept-1 +-A FORWARD -j logdrop-2 +-A FORWARD -j logpass-1 +-A FORWARD -j logaccept-2 +-A FORWARD -j logdrop-3 +-A FORWARD -j logpass-2 +-A FORWARD -j ACCEPT +-A FORWARD -j DROP +-A FORWARD +-A FORWARD -j logaccept-3 +-A FORWARD -j logdrop-4 +-A FORWARD -i eth0 -j ACCEPT +-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth0 -o eth4 -j ACCEPT +-A FORWARD -i eth0 -o eth5 -j ACCEPT +-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth4 -o eth0 -j ACCEPT +-A FORWARD -i eth5 -o eth0 -j ACCEPT +-A FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth4 -o eth4 -j ACCEPT +-A FORWARD -i eth4 -o eth5 -j ACCEPT +-A FORWARD -i eth5 -o eth4 -j ACCEPT +-A FORWARD -i eth5 -o eth5 -j ACCEPT +-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -p icmpv6 -j icmp-routing +-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128 +-A INPUT -j TEE --gateway fc00::2 +-A INPUT -m limit --limit 1/second -j LOG +-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -j logdrop-0 +-A INPUT +-A INPUT -j ACCEPT +-A INPUT -j DROP +-A INPUT +-A INPUT -j logaccept-0 +-A INPUT -j logdrop-1 +-A INPUT -j logpass-0 +-A INPUT -j logaccept-1 +-A INPUT -j logdrop-2 +-A INPUT -j logpass-1 +-A INPUT -j logaccept-2 +-A INPUT -j logdrop-3 +-A INPUT -j logpass-2 +-A INPUT -j ACCEPT +-A INPUT -j DROP +-A INPUT +-A INPUT -j logaccept-3 +-A INPUT -j logdrop-4 +-A INPUT -i eth0 -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -p icmpv6 -j ACCEPT +-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -o lo -j ACCEPT +-A OUTPUT -j ACCEPT +-A OUTPUT -j logdrop-0 +-A OUTPUT +-A OUTPUT -j ACCEPT +-A OUTPUT -j DROP +-A OUTPUT +-A OUTPUT -j logaccept-0 +-A OUTPUT -j logdrop-1 +-A OUTPUT -j logpass-0 +-A OUTPUT -j logaccept-1 +-A OUTPUT -j logdrop-2 +-A OUTPUT -j logpass-1 +-A OUTPUT -j logaccept-2 +-A OUTPUT -j logdrop-3 +-A OUTPUT -j logpass-2 +-A OUTPUT -j ACCEPT +-A OUTPUT -j DROP +-A OUTPUT +-A OUTPUT -j logaccept-3 +-A OUTPUT -j logdrop-4 +-A OUTPUT -j ACCEPT +-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT +-A OUTPUT -p icmpv6 -j ACCEPT +-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT +-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT +-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT +-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT +-A logaccept-0 -m limit --limit 1/second -j LOG +-A logaccept-0 -j ACCEPT +-A logaccept-1 -j LOG +-A logaccept-1 -j TEE --gateway fc00::1 +-A logaccept-1 -j ACCEPT +-A logaccept-2 -j TEE --gateway fc00::2 +-A logaccept-2 -j ACCEPT +-A logaccept-3 -j ACCEPT +-A logdrop-0 -m limit --limit 1/second -j LOG +-A logdrop-0 -j DROP +-A logdrop-1 -m limit --limit 1/second -j LOG +-A logdrop-1 -j DROP +-A logdrop-2 -j LOG +-A logdrop-2 -j TEE --gateway fc00::1 +-A logdrop-2 -j DROP +-A logdrop-3 -j TEE --gateway fc00::2 +-A logdrop-3 -j DROP +-A logdrop-4 -j DROP +-A logpass-0 -m limit --limit 1/second -j LOG +-A logpass-1 -j LOG +-A logpass-1 -j TEE --gateway fc00::1 +-A logpass-2 -j TEE --gateway fc00::2 +COMMIT +*mangle +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A INPUT -j MARK --set-mark 3 +-A OUTPUT -j MARK --set-mark 1 +-A POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 3 +-A PREROUTING -i eth0 -j MARK --set-mark 1 +COMMIT +*raw +:OUTPUT ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A OUTPUT -j CT --notrack +-A PREROUTING -i eth0 -j CT --notrack +-A PREROUTING -i eth1 -s fc00::/7 -j CT --notrack +-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack +COMMIT diff --git a/test/output/filter/dump b/test/output/filter/dump index fa9c467..fdba6f8 100644 --- a/test/output/filter/dump +++ b/test/output/filter/dump @@ -82,244 +82,11 @@ Filter 6 {"action":"tarpit"} inet6/raw/OUTPUT -j CT --notrack inet6/raw/PREROUTING -j CT --notrack -Filter 7 {} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 8 {"action":"drop"} -(log) - inet/filter/FORWARD -j logdrop-1 - inet/filter/INPUT -j logdrop-1 - inet/filter/OUTPUT -j logdrop-1 - inet/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet/filter/logdrop-1 -j DROP - inet6/filter/FORWARD -j logdrop-1 - inet6/filter/INPUT -j logdrop-1 - inet6/filter/OUTPUT -j logdrop-1 - inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-1 -j DROP - -Filter 9 {"action":"pass"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 10 {"log":false} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 11 {"action":"drop","log":false} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 12 {"action":"pass","log":false} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 13 {"log":true} -(log) - inet/filter/FORWARD -j logaccept-0 - inet/filter/INPUT -j logaccept-0 - inet/filter/OUTPUT -j logaccept-0 - inet/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet/filter/logaccept-0 -j ACCEPT - inet6/filter/FORWARD -j logaccept-0 - inet6/filter/INPUT -j logaccept-0 - inet6/filter/OUTPUT -j logaccept-0 - inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet6/filter/logaccept-0 -j ACCEPT - -Filter 14 {"action":"drop","log":true} -(log) - inet/filter/FORWARD -j logdrop-2 - inet/filter/INPUT -j logdrop-2 - inet/filter/OUTPUT -j logdrop-2 - inet/filter/logdrop-2 -m limit --limit 1/second -j LOG - inet/filter/logdrop-2 -j DROP - inet6/filter/FORWARD -j logdrop-2 - inet6/filter/INPUT -j logdrop-2 - inet6/filter/OUTPUT -j logdrop-2 - inet6/filter/logdrop-2 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-2 -j DROP - -Filter 15 {"action":"pass","log":true} -(log) - inet/filter/FORWARD -j logpass-0 - inet/filter/INPUT -j logpass-0 - inet/filter/OUTPUT -j logpass-0 - inet/filter/logpass-0 -m limit --limit 1/second -j LOG - inet6/filter/FORWARD -j logpass-0 - inet6/filter/INPUT -j logpass-0 - inet6/filter/OUTPUT -j logpass-0 - inet6/filter/logpass-0 -m limit --limit 1/second -j LOG - -Filter 16 {"log":"dual"} -(log) - inet/filter/FORWARD -j logaccept-1 - inet/filter/INPUT -j logaccept-1 - inet/filter/OUTPUT -j logaccept-1 - inet/filter/logaccept-1 -j LOG - inet/filter/logaccept-1 -j ACCEPT - inet6/filter/FORWARD -j logaccept-1 - inet6/filter/INPUT -j logaccept-1 - inet6/filter/OUTPUT -j logaccept-1 - inet6/filter/logaccept-1 -j LOG - inet6/filter/logaccept-1 -j TEE --gateway fc00::1 - inet6/filter/logaccept-1 -j ACCEPT - -Filter 17 {"action":"drop","log":"dual"} -(log) - inet/filter/FORWARD -j logdrop-3 - inet/filter/INPUT -j logdrop-3 - inet/filter/OUTPUT -j logdrop-3 - inet/filter/logdrop-3 -j LOG - inet/filter/logdrop-3 -j DROP - inet6/filter/FORWARD -j logdrop-3 - inet6/filter/INPUT -j logdrop-3 - inet6/filter/OUTPUT -j logdrop-3 - inet6/filter/logdrop-3 -j LOG - inet6/filter/logdrop-3 -j TEE --gateway fc00::1 - inet6/filter/logdrop-3 -j DROP - -Filter 18 {"action":"pass","log":"dual"} -(log) - inet/filter/FORWARD -j logpass-1 - inet/filter/INPUT -j logpass-1 - inet/filter/OUTPUT -j logpass-1 - inet/filter/logpass-1 -j LOG - inet6/filter/FORWARD -j logpass-1 - inet6/filter/INPUT -j logpass-1 - inet6/filter/OUTPUT -j logpass-1 - inet6/filter/logpass-1 -j LOG - inet6/filter/logpass-1 -j TEE --gateway fc00::1 - -Filter 19 {"log":"mirror"} -(log) - inet/filter/FORWARD -j logaccept-2 - inet/filter/INPUT -j logaccept-2 - inet/filter/OUTPUT -j logaccept-2 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2 - inet/filter/logaccept-2 -j ACCEPT - inet6/filter/FORWARD -j logaccept-2 - inet6/filter/INPUT -j logaccept-2 - inet6/filter/OUTPUT -j logaccept-2 - inet6/filter/logaccept-2 -j TEE --gateway fc00::2 - inet6/filter/logaccept-2 -j ACCEPT - -Filter 20 {"action":"drop","log":"mirror"} -(log) - inet/filter/FORWARD -j logdrop-4 - inet/filter/INPUT -j logdrop-4 - inet/filter/OUTPUT -j logdrop-4 - inet/filter/logdrop-4 -j TEE --gateway 10.0.0.1 - inet/filter/logdrop-4 -j TEE --gateway 10.0.0.2 - inet/filter/logdrop-4 -j DROP - inet6/filter/FORWARD -j logdrop-4 - inet6/filter/INPUT -j logdrop-4 - inet6/filter/OUTPUT -j logdrop-4 - inet6/filter/logdrop-4 -j TEE --gateway fc00::2 - inet6/filter/logdrop-4 -j DROP - -Filter 21 {"action":"pass","log":"mirror"} -(log) - inet/filter/FORWARD -j logpass-2 - inet/filter/INPUT -j logpass-2 - inet/filter/OUTPUT -j logpass-2 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.1 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.2 - inet6/filter/FORWARD -j logpass-2 - inet6/filter/INPUT -j logpass-2 - inet6/filter/OUTPUT -j logpass-2 - inet6/filter/logpass-2 -j TEE --gateway fc00::2 - -Filter 22 {"log":"none"} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 23 {"action":"drop","log":"none"} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 24 {"action":"pass","log":"none"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 25 {"log":"ulog"} -(log) - inet/filter/FORWARD -j logaccept-3 - inet/filter/INPUT -j logaccept-3 - inet/filter/OUTPUT -j logaccept-3 - inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG - inet/filter/logaccept-3 -j ACCEPT - inet6/filter/FORWARD -j logaccept-3 - inet6/filter/INPUT -j logaccept-3 - inet6/filter/OUTPUT -j logaccept-3 - inet6/filter/logaccept-3 -j ACCEPT - -Filter 26 {"action":"drop","log":"ulog"} -(log) - inet/filter/FORWARD -j logdrop-5 - inet/filter/INPUT -j logdrop-5 - inet/filter/OUTPUT -j logdrop-5 - inet/filter/logdrop-5 -m limit --limit 12/minute -j ULOG - inet/filter/logdrop-5 -j DROP - inet6/filter/FORWARD -j logdrop-5 - inet6/filter/INPUT -j logdrop-5 - inet6/filter/OUTPUT -j logdrop-5 - inet6/filter/logdrop-5 -j DROP - -Filter 27 {"action":"pass","log":"ulog"} -(log) - inet/filter/FORWARD -j logpass-3 - inet/filter/INPUT -j logpass-3 - inet/filter/OUTPUT -j logpass-3 - inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG - -Filter 28 {"action":"pass","in":"_fw","log":"ulog"} +Filter 7 {"action":"pass","in":"_fw","log":"ulog"} (log) inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG -Filter 29 {"in":["_fw","A"]} +Filter 8 {"in":["_fw","A"]} (zone) inet/filter/FORWARD -i eth0 -j ACCEPT inet/filter/INPUT -i eth0 -j ACCEPT @@ -328,12 +95,12 @@ Filter 29 {"in":["_fw","A"]} inet6/filter/INPUT -i eth0 -j ACCEPT inet6/filter/OUTPUT -j ACCEPT -Filter 30 {"in":"B","out":"C"} +Filter 9 {"in":"B","out":"C"} (zone) inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT -Filter 31 {"out":["_fw","B"]} +Filter 10 {"out":["_fw","B"]} (zone) inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT inet/filter/INPUT -j ACCEPT @@ -342,7 +109,7 @@ Filter 31 {"out":["_fw","B"]} inet6/filter/INPUT -j ACCEPT inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -Filter 32 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +Filter 11 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} (zone) inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT @@ -751,20 +518,7 @@ hash:net family inet :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] :logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logdrop-5 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] :logreject-0 - [0:0] :logtarpit-0 - [0:0] :tarpit - [0:0] @@ -775,27 +529,6 @@ hash:net family inet -A FORWARD -A FORWARD -j logreject-0 -A FORWARD -j logtarpit-0 --A FORWARD -j ACCEPT --A FORWARD -j logdrop-1 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-5 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -859,27 +592,6 @@ hash:net family inet -A INPUT -A INPUT -j logreject-0 -A INPUT -j logtarpit-0 --A INPUT -j ACCEPT --A INPUT -j logdrop-1 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-2 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-3 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-4 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-5 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing @@ -891,27 +603,6 @@ hash:net family inet -A OUTPUT -A OUTPUT -j logreject-0 -A OUTPUT -j logtarpit-0 --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-1 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-5 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -919,33 +610,8 @@ hash:net family inet -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT -A logdrop-0 -m limit --limit 1/second -j LOG -A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -m limit --limit 1/second -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j LOG --A logdrop-3 -j DROP --A logdrop-4 -j TEE --gateway 10.0.0.1 --A logdrop-4 -j TEE --gateway 10.0.0.2 --A logdrop-4 -j DROP --A logdrop-5 -m limit --limit 12/minute -j ULOG --A logdrop-5 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG -A logreject-0 -m limit --limit 1/second -j LOG -A logreject-0 -j REJECT -A logtarpit-0 -m limit --limit 1/second -j LOG @@ -998,19 +664,7 @@ COMMIT :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] :logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logdrop-5 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] :logreject-0 - [0:0] :logtarpit-0 - [0:0] :tarpit - [0:0] @@ -1021,26 +675,6 @@ COMMIT -A FORWARD -A FORWARD -j logreject-0 -A FORWARD -j logtarpit-0 --A FORWARD -j ACCEPT --A FORWARD -j logdrop-1 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-5 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -1078,26 +712,6 @@ COMMIT -A INPUT -A INPUT -j logreject-0 -A INPUT -j logtarpit-0 --A INPUT -j ACCEPT --A INPUT -j logdrop-1 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-2 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-3 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-4 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-5 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT @@ -1110,56 +724,14 @@ COMMIT -A OUTPUT -j logreject-0 -A OUTPUT -j logtarpit-0 -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-1 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-5 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT -A logdrop-0 -m limit --limit 1/second -j LOG -A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -m limit --limit 1/second -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j LOG --A logdrop-3 -j TEE --gateway fc00::1 --A logdrop-3 -j DROP --A logdrop-4 -j TEE --gateway fc00::2 --A logdrop-4 -j DROP --A logdrop-5 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 -A logreject-0 -m limit --limit 1/second -j LOG -A logreject-0 -j REJECT -A logtarpit-0 -m limit --limit 1/second -j LOG diff --git a/test/output/filter/rules-save b/test/output/filter/rules-save index da23150..72882d3 100644 --- a/test/output/filter/rules-save +++ b/test/output/filter/rules-save @@ -4,20 +4,7 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] :logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logdrop-5 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] :logreject-0 - [0:0] :logtarpit-0 - [0:0] :tarpit - [0:0] @@ -28,27 +15,6 @@ -A FORWARD -A FORWARD -j logreject-0 -A FORWARD -j logtarpit-0 --A FORWARD -j ACCEPT --A FORWARD -j logdrop-1 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-5 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -112,27 +78,6 @@ -A INPUT -A INPUT -j logreject-0 -A INPUT -j logtarpit-0 --A INPUT -j ACCEPT --A INPUT -j logdrop-1 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-2 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-3 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-4 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-5 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing @@ -144,27 +89,6 @@ -A OUTPUT -A OUTPUT -j logreject-0 -A OUTPUT -j logtarpit-0 --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-1 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-5 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -172,33 +96,8 @@ -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT -A logdrop-0 -m limit --limit 1/second -j LOG -A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -m limit --limit 1/second -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j LOG --A logdrop-3 -j DROP --A logdrop-4 -j TEE --gateway 10.0.0.1 --A logdrop-4 -j TEE --gateway 10.0.0.2 --A logdrop-4 -j DROP --A logdrop-5 -m limit --limit 12/minute -j ULOG --A logdrop-5 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG -A logreject-0 -m limit --limit 1/second -j LOG -A logreject-0 -j REJECT -A logtarpit-0 -m limit --limit 1/second -j LOG diff --git a/test/output/filter/rules6-save b/test/output/filter/rules6-save index 0285ab6..ae0ddf1 100644 --- a/test/output/filter/rules6-save +++ b/test/output/filter/rules6-save @@ -4,19 +4,7 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] :logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logdrop-5 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] :logreject-0 - [0:0] :logtarpit-0 - [0:0] :tarpit - [0:0] @@ -27,26 +15,6 @@ -A FORWARD -A FORWARD -j logreject-0 -A FORWARD -j logtarpit-0 --A FORWARD -j ACCEPT --A FORWARD -j logdrop-1 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-5 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -84,26 +52,6 @@ -A INPUT -A INPUT -j logreject-0 -A INPUT -j logtarpit-0 --A INPUT -j ACCEPT --A INPUT -j logdrop-1 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-2 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-3 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-4 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-5 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT @@ -116,56 +64,14 @@ -A OUTPUT -j logreject-0 -A OUTPUT -j logtarpit-0 -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-1 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-5 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT -A logdrop-0 -m limit --limit 1/second -j LOG -A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -m limit --limit 1/second -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j LOG --A logdrop-3 -j TEE --gateway fc00::1 --A logdrop-3 -j DROP --A logdrop-4 -j TEE --gateway fc00::2 --A logdrop-4 -j DROP --A logdrop-5 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 -A logreject-0 -m limit --limit 1/second -j LOG -A logreject-0 -j REJECT -A logtarpit-0 -m limit --limit 1/second -j LOG diff --git a/test/output/ipset/dump b/test/output/ipset/dump index 947f681..e637773 100644 --- a/test/output/ipset/dump +++ b/test/output/ipset/dump @@ -23,244 +23,11 @@ Filter 1 {"action":"drop","in":"A","ipset":[{"args":["in"," inet6/filter/logdrop-ssh-0 -m limit --limit 1/second -j LOG inet6/filter/logdrop-ssh-0 -j DROP -Filter 2 {} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 3 {"action":"drop"} -(log) - inet/filter/FORWARD -j logdrop-0 - inet/filter/INPUT -j logdrop-0 - inet/filter/OUTPUT -j logdrop-0 - inet/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet/filter/logdrop-0 -j DROP - inet6/filter/FORWARD -j logdrop-0 - inet6/filter/INPUT -j logdrop-0 - inet6/filter/OUTPUT -j logdrop-0 - inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-0 -j DROP - -Filter 4 {"action":"pass"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 5 {"log":false} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 6 {"action":"drop","log":false} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 7 {"action":"pass","log":false} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 8 {"log":true} -(log) - inet/filter/FORWARD -j logaccept-0 - inet/filter/INPUT -j logaccept-0 - inet/filter/OUTPUT -j logaccept-0 - inet/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet/filter/logaccept-0 -j ACCEPT - inet6/filter/FORWARD -j logaccept-0 - inet6/filter/INPUT -j logaccept-0 - inet6/filter/OUTPUT -j logaccept-0 - inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet6/filter/logaccept-0 -j ACCEPT - -Filter 9 {"action":"drop","log":true} -(log) - inet/filter/FORWARD -j logdrop-1 - inet/filter/INPUT -j logdrop-1 - inet/filter/OUTPUT -j logdrop-1 - inet/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet/filter/logdrop-1 -j DROP - inet6/filter/FORWARD -j logdrop-1 - inet6/filter/INPUT -j logdrop-1 - inet6/filter/OUTPUT -j logdrop-1 - inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-1 -j DROP - -Filter 10 {"action":"pass","log":true} -(log) - inet/filter/FORWARD -j logpass-0 - inet/filter/INPUT -j logpass-0 - inet/filter/OUTPUT -j logpass-0 - inet/filter/logpass-0 -m limit --limit 1/second -j LOG - inet6/filter/FORWARD -j logpass-0 - inet6/filter/INPUT -j logpass-0 - inet6/filter/OUTPUT -j logpass-0 - inet6/filter/logpass-0 -m limit --limit 1/second -j LOG - -Filter 11 {"log":"dual"} -(log) - inet/filter/FORWARD -j logaccept-1 - inet/filter/INPUT -j logaccept-1 - inet/filter/OUTPUT -j logaccept-1 - inet/filter/logaccept-1 -j LOG - inet/filter/logaccept-1 -j ACCEPT - inet6/filter/FORWARD -j logaccept-1 - inet6/filter/INPUT -j logaccept-1 - inet6/filter/OUTPUT -j logaccept-1 - inet6/filter/logaccept-1 -j LOG - inet6/filter/logaccept-1 -j TEE --gateway fc00::1 - inet6/filter/logaccept-1 -j ACCEPT - -Filter 12 {"action":"drop","log":"dual"} -(log) - inet/filter/FORWARD -j logdrop-2 - inet/filter/INPUT -j logdrop-2 - inet/filter/OUTPUT -j logdrop-2 - inet/filter/logdrop-2 -j LOG - inet/filter/logdrop-2 -j DROP - inet6/filter/FORWARD -j logdrop-2 - inet6/filter/INPUT -j logdrop-2 - inet6/filter/OUTPUT -j logdrop-2 - inet6/filter/logdrop-2 -j LOG - inet6/filter/logdrop-2 -j TEE --gateway fc00::1 - inet6/filter/logdrop-2 -j DROP - -Filter 13 {"action":"pass","log":"dual"} -(log) - inet/filter/FORWARD -j logpass-1 - inet/filter/INPUT -j logpass-1 - inet/filter/OUTPUT -j logpass-1 - inet/filter/logpass-1 -j LOG - inet6/filter/FORWARD -j logpass-1 - inet6/filter/INPUT -j logpass-1 - inet6/filter/OUTPUT -j logpass-1 - inet6/filter/logpass-1 -j LOG - inet6/filter/logpass-1 -j TEE --gateway fc00::1 - -Filter 14 {"log":"mirror"} -(log) - inet/filter/FORWARD -j logaccept-2 - inet/filter/INPUT -j logaccept-2 - inet/filter/OUTPUT -j logaccept-2 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2 - inet/filter/logaccept-2 -j ACCEPT - inet6/filter/FORWARD -j logaccept-2 - inet6/filter/INPUT -j logaccept-2 - inet6/filter/OUTPUT -j logaccept-2 - inet6/filter/logaccept-2 -j TEE --gateway fc00::2 - inet6/filter/logaccept-2 -j ACCEPT - -Filter 15 {"action":"drop","log":"mirror"} -(log) - inet/filter/FORWARD -j logdrop-3 - inet/filter/INPUT -j logdrop-3 - inet/filter/OUTPUT -j logdrop-3 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2 - inet/filter/logdrop-3 -j DROP - inet6/filter/FORWARD -j logdrop-3 - inet6/filter/INPUT -j logdrop-3 - inet6/filter/OUTPUT -j logdrop-3 - inet6/filter/logdrop-3 -j TEE --gateway fc00::2 - inet6/filter/logdrop-3 -j DROP - -Filter 16 {"action":"pass","log":"mirror"} -(log) - inet/filter/FORWARD -j logpass-2 - inet/filter/INPUT -j logpass-2 - inet/filter/OUTPUT -j logpass-2 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.1 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.2 - inet6/filter/FORWARD -j logpass-2 - inet6/filter/INPUT -j logpass-2 - inet6/filter/OUTPUT -j logpass-2 - inet6/filter/logpass-2 -j TEE --gateway fc00::2 - -Filter 17 {"log":"none"} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 18 {"action":"drop","log":"none"} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 19 {"action":"pass","log":"none"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 20 {"log":"ulog"} -(log) - inet/filter/FORWARD -j logaccept-3 - inet/filter/INPUT -j logaccept-3 - inet/filter/OUTPUT -j logaccept-3 - inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG - inet/filter/logaccept-3 -j ACCEPT - inet6/filter/FORWARD -j logaccept-3 - inet6/filter/INPUT -j logaccept-3 - inet6/filter/OUTPUT -j logaccept-3 - inet6/filter/logaccept-3 -j ACCEPT - -Filter 21 {"action":"drop","log":"ulog"} -(log) - inet/filter/FORWARD -j logdrop-4 - inet/filter/INPUT -j logdrop-4 - inet/filter/OUTPUT -j logdrop-4 - inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG - inet/filter/logdrop-4 -j DROP - inet6/filter/FORWARD -j logdrop-4 - inet6/filter/INPUT -j logdrop-4 - inet6/filter/OUTPUT -j logdrop-4 - inet6/filter/logdrop-4 -j DROP - -Filter 22 {"action":"pass","log":"ulog"} -(log) - inet/filter/FORWARD -j logpass-3 - inet/filter/INPUT -j logpass-3 - inet/filter/OUTPUT -j logpass-3 - inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG - -Filter 23 {"action":"pass","in":"_fw","log":"ulog"} +Filter 2 {"action":"pass","in":"_fw","log":"ulog"} (log) inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG -Filter 24 {"in":["_fw","A"]} +Filter 3 {"in":["_fw","A"]} (zone) inet/filter/FORWARD -i eth0 -j ACCEPT inet/filter/INPUT -i eth0 -j ACCEPT @@ -269,12 +36,12 @@ Filter 24 {"in":["_fw","A"]} inet6/filter/INPUT -i eth0 -j ACCEPT inet6/filter/OUTPUT -j ACCEPT -Filter 25 {"in":"B","out":"C"} +Filter 4 {"in":"B","out":"C"} (zone) inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT -Filter 26 {"out":["_fw","B"]} +Filter 5 {"out":["_fw","B"]} (zone) inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT inet/filter/INPUT -j ACCEPT @@ -283,7 +50,7 @@ Filter 26 {"out":["_fw","B"]} inet6/filter/INPUT -j ACCEPT inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -Filter 27 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +Filter 6 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} (zone) inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT @@ -704,43 +471,9 @@ hash:net,iface family inet :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] :logdrop-ssh-0 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -m set --match-set foo src,dst -p tcp --dport 22 -j logdrop-ssh-0 --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -799,53 +532,11 @@ hash:net,iface family inet -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -m set --match-set foo src,dst -p tcp --dport 22 -j logdrop-ssh-0 --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -853,33 +544,8 @@ hash:net,iface family inet -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP -A logdrop-ssh-0 -m limit --limit 1/second -j LOG -A logdrop-ssh-0 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] @@ -924,41 +590,9 @@ COMMIT :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] :logdrop-ssh-0 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -m set --match-set bar src -p tcp --dport 22 -j logdrop-ssh-0 --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -991,82 +625,20 @@ COMMIT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -m set --match-set bar src -p tcp --dport 22 -j logdrop-ssh-0 --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP -A logdrop-ssh-0 -m limit --limit 1/second -j LOG -A logdrop-ssh-0 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/ipset/rules-save b/test/output/ipset/rules-save index 9911a0b..eb1127b 100644 --- a/test/output/ipset/rules-save +++ b/test/output/ipset/rules-save @@ -4,43 +4,9 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] :logdrop-ssh-0 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -m set --match-set foo src,dst -p tcp --dport 22 -j logdrop-ssh-0 --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -99,53 +65,11 @@ -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -m set --match-set foo src,dst -p tcp --dport 22 -j logdrop-ssh-0 --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -153,33 +77,8 @@ -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP -A logdrop-ssh-0 -m limit --limit 1/second -j LOG -A logdrop-ssh-0 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] diff --git a/test/output/ipset/rules6-save b/test/output/ipset/rules6-save index b2d2565..259e8d3 100644 --- a/test/output/ipset/rules6-save +++ b/test/output/ipset/rules6-save @@ -4,41 +4,9 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] :logdrop-ssh-0 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -m set --match-set bar src -p tcp --dport 22 -j logdrop-ssh-0 --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -71,82 +39,20 @@ -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -m set --match-set bar src -p tcp --dport 22 -j logdrop-ssh-0 --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP -A logdrop-ssh-0 -m limit --limit 1/second -j LOG -A logdrop-ssh-0 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/nat/dump b/test/output/nat/dump index b9620bb..c533b7a 100644 --- a/test/output/nat/dump +++ b/test/output/nat/dump @@ -158,336 +158,103 @@ Dnat 36 {"in":"B"} inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT -Filter 1 {} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 2 {"action":"drop"} -(log) - inet/filter/FORWARD -j logdrop-0 - inet/filter/INPUT -j logdrop-0 - inet/filter/OUTPUT -j logdrop-0 - inet/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet/filter/logdrop-0 -j DROP - inet6/filter/FORWARD -j logdrop-0 - inet6/filter/INPUT -j logdrop-0 - inet6/filter/OUTPUT -j logdrop-0 - inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-0 -j DROP - -Filter 3 {"action":"pass"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 4 {"log":false} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 5 {"action":"drop","log":false} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 6 {"action":"pass","log":false} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 7 {"log":true} -(log) - inet/filter/FORWARD -j logaccept-0 - inet/filter/INPUT -j logaccept-0 - inet/filter/OUTPUT -j logaccept-0 - inet/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet/filter/logaccept-0 -j ACCEPT - inet6/filter/FORWARD -j logaccept-0 - inet6/filter/INPUT -j logaccept-0 - inet6/filter/OUTPUT -j logaccept-0 - inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet6/filter/logaccept-0 -j ACCEPT - -Filter 8 {"action":"drop","log":true} -(log) - inet/filter/FORWARD -j logdrop-1 - inet/filter/INPUT -j logdrop-1 - inet/filter/OUTPUT -j logdrop-1 - inet/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet/filter/logdrop-1 -j DROP - inet6/filter/FORWARD -j logdrop-1 - inet6/filter/INPUT -j logdrop-1 - inet6/filter/OUTPUT -j logdrop-1 - inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-1 -j DROP - -Filter 9 {"action":"pass","log":true} -(log) - inet/filter/FORWARD -j logpass-0 - inet/filter/INPUT -j logpass-0 - inet/filter/OUTPUT -j logpass-0 - inet/filter/logpass-0 -m limit --limit 1/second -j LOG - inet6/filter/FORWARD -j logpass-0 - inet6/filter/INPUT -j logpass-0 - inet6/filter/OUTPUT -j logpass-0 - inet6/filter/logpass-0 -m limit --limit 1/second -j LOG - -Filter 10 {"log":"dual"} -(log) - inet/filter/FORWARD -j logaccept-1 - inet/filter/INPUT -j logaccept-1 - inet/filter/OUTPUT -j logaccept-1 - inet/filter/logaccept-1 -j LOG - inet/filter/logaccept-1 -j ACCEPT - inet6/filter/FORWARD -j logaccept-1 - inet6/filter/INPUT -j logaccept-1 - inet6/filter/OUTPUT -j logaccept-1 - inet6/filter/logaccept-1 -j LOG - inet6/filter/logaccept-1 -j TEE --gateway fc00::1 - inet6/filter/logaccept-1 -j ACCEPT - -Filter 11 {"action":"drop","log":"dual"} -(log) - inet/filter/FORWARD -j logdrop-2 - inet/filter/INPUT -j logdrop-2 - inet/filter/OUTPUT -j logdrop-2 - inet/filter/logdrop-2 -j LOG - inet/filter/logdrop-2 -j DROP - inet6/filter/FORWARD -j logdrop-2 - inet6/filter/INPUT -j logdrop-2 - inet6/filter/OUTPUT -j logdrop-2 - inet6/filter/logdrop-2 -j LOG - inet6/filter/logdrop-2 -j TEE --gateway fc00::1 - inet6/filter/logdrop-2 -j DROP - -Filter 12 {"action":"pass","log":"dual"} -(log) - inet/filter/FORWARD -j logpass-1 - inet/filter/INPUT -j logpass-1 - inet/filter/OUTPUT -j logpass-1 - inet/filter/logpass-1 -j LOG - inet6/filter/FORWARD -j logpass-1 - inet6/filter/INPUT -j logpass-1 - inet6/filter/OUTPUT -j logpass-1 - inet6/filter/logpass-1 -j LOG - inet6/filter/logpass-1 -j TEE --gateway fc00::1 - -Filter 13 {"log":"mirror"} -(log) - inet/filter/FORWARD -j logaccept-2 - inet/filter/INPUT -j logaccept-2 - inet/filter/OUTPUT -j logaccept-2 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2 - inet/filter/logaccept-2 -j ACCEPT - inet6/filter/FORWARD -j logaccept-2 - inet6/filter/INPUT -j logaccept-2 - inet6/filter/OUTPUT -j logaccept-2 - inet6/filter/logaccept-2 -j TEE --gateway fc00::2 - inet6/filter/logaccept-2 -j ACCEPT - -Filter 14 {"action":"drop","log":"mirror"} -(log) - inet/filter/FORWARD -j logdrop-3 - inet/filter/INPUT -j logdrop-3 - inet/filter/OUTPUT -j logdrop-3 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2 - inet/filter/logdrop-3 -j DROP - inet6/filter/FORWARD -j logdrop-3 - inet6/filter/INPUT -j logdrop-3 - inet6/filter/OUTPUT -j logdrop-3 - inet6/filter/logdrop-3 -j TEE --gateway fc00::2 - inet6/filter/logdrop-3 -j DROP - -Filter 15 {"action":"pass","log":"mirror"} -(log) - inet/filter/FORWARD -j logpass-2 - inet/filter/INPUT -j logpass-2 - inet/filter/OUTPUT -j logpass-2 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.1 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.2 - inet6/filter/FORWARD -j logpass-2 - inet6/filter/INPUT -j logpass-2 - inet6/filter/OUTPUT -j logpass-2 - inet6/filter/logpass-2 -j TEE --gateway fc00::2 - -Filter 16 {"log":"none"} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 17 {"action":"drop","log":"none"} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 18 {"action":"pass","log":"none"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 19 {"log":"ulog"} -(log) - inet/filter/FORWARD -j logaccept-3 - inet/filter/INPUT -j logaccept-3 - inet/filter/OUTPUT -j logaccept-3 - inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG - inet/filter/logaccept-3 -j ACCEPT - inet6/filter/FORWARD -j logaccept-3 - inet6/filter/INPUT -j logaccept-3 - inet6/filter/OUTPUT -j logaccept-3 - inet6/filter/logaccept-3 -j ACCEPT - -Filter 20 {"action":"drop","log":"ulog"} -(log) - inet/filter/FORWARD -j logdrop-4 - inet/filter/INPUT -j logdrop-4 - inet/filter/OUTPUT -j logdrop-4 - inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG - inet/filter/logdrop-4 -j DROP - inet6/filter/FORWARD -j logdrop-4 - inet6/filter/INPUT -j logdrop-4 - inet6/filter/OUTPUT -j logdrop-4 - inet6/filter/logdrop-4 -j DROP - -Filter 21 {"action":"pass","log":"ulog"} -(log) - inet/filter/FORWARD -j logpass-3 - inet/filter/INPUT -j logpass-3 - inet/filter/OUTPUT -j logpass-3 - inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG - -Filter 22 {"action":"pass","in":"_fw","log":"ulog"} -(log) - inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG - -Filter 23 {"in":["_fw","A"]} -(zone) - inet/filter/FORWARD -i eth0 -j ACCEPT - inet/filter/INPUT -i eth0 -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -i eth0 -j ACCEPT - inet6/filter/INPUT -i eth0 -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 24 {"in":"B","out":"C"} -(zone) - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +Filter 1 {"action":"pass","in":"_fw","log":"ulog"} +(log) + inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG -Filter 25 {"out":["_fw","B"]} -(zone) - inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT - -Filter 26 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} -(zone) - inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT +Filter 2 {"in":["_fw","A"]} +(zone) + inet/filter/FORWARD -i eth0 -j ACCEPT + inet/filter/INPUT -i eth0 -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/FORWARD -i eth0 -j ACCEPT + inet6/filter/INPUT -i eth0 -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 3 {"in":"B","out":"C"} +(zone) + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + +Filter 4 {"out":["_fw","B"]} +(zone) + inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT + +Filter 5 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +(zone) + inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT Ipset awall-masquerade {"family":"inet","type":"hash:net"} @@ -973,41 +740,7 @@ hash:net family inet :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -1065,53 +798,11 @@ hash:net family inet -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -1119,31 +810,6 @@ hash:net family inet -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] @@ -1236,39 +902,7 @@ COMMIT :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -1300,80 +934,18 @@ COMMIT -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/nat/rules-save b/test/output/nat/rules-save index 6cb780f..87177d5 100644 --- a/test/output/nat/rules-save +++ b/test/output/nat/rules-save @@ -4,41 +4,7 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -96,53 +62,11 @@ -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -150,31 +74,6 @@ -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] diff --git a/test/output/nat/rules6-save b/test/output/nat/rules6-save index 6eb67fc..205fe05 100644 --- a/test/output/nat/rules6-save +++ b/test/output/nat/rules6-save @@ -4,39 +4,7 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -68,80 +36,18 @@ -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/no-track/dump b/test/output/no-track/dump index cc045e3..664c09b 100644 --- a/test/output/no-track/dump +++ b/test/output/no-track/dump @@ -12,402 +12,169 @@ Dnat 2 {"in":"B"} inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT -Filter 1 {} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 2 {"action":"drop"} -(log) - inet/filter/FORWARD -j logdrop-0 - inet/filter/INPUT -j logdrop-0 - inet/filter/OUTPUT -j logdrop-0 - inet/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet/filter/logdrop-0 -j DROP - inet6/filter/FORWARD -j logdrop-0 - inet6/filter/INPUT -j logdrop-0 - inet6/filter/OUTPUT -j logdrop-0 - inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-0 -j DROP - -Filter 3 {"action":"pass"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 4 {"log":false} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 5 {"action":"drop","log":false} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 6 {"action":"pass","log":false} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 7 {"log":true} -(log) - inet/filter/FORWARD -j logaccept-0 - inet/filter/INPUT -j logaccept-0 - inet/filter/OUTPUT -j logaccept-0 - inet/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet/filter/logaccept-0 -j ACCEPT - inet6/filter/FORWARD -j logaccept-0 - inet6/filter/INPUT -j logaccept-0 - inet6/filter/OUTPUT -j logaccept-0 - inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet6/filter/logaccept-0 -j ACCEPT - -Filter 8 {"action":"drop","log":true} -(log) - inet/filter/FORWARD -j logdrop-1 - inet/filter/INPUT -j logdrop-1 - inet/filter/OUTPUT -j logdrop-1 - inet/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet/filter/logdrop-1 -j DROP - inet6/filter/FORWARD -j logdrop-1 - inet6/filter/INPUT -j logdrop-1 - inet6/filter/OUTPUT -j logdrop-1 - inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-1 -j DROP - -Filter 9 {"action":"pass","log":true} -(log) - inet/filter/FORWARD -j logpass-0 - inet/filter/INPUT -j logpass-0 - inet/filter/OUTPUT -j logpass-0 - inet/filter/logpass-0 -m limit --limit 1/second -j LOG - inet6/filter/FORWARD -j logpass-0 - inet6/filter/INPUT -j logpass-0 - inet6/filter/OUTPUT -j logpass-0 - inet6/filter/logpass-0 -m limit --limit 1/second -j LOG - -Filter 10 {"log":"dual"} -(log) - inet/filter/FORWARD -j logaccept-1 - inet/filter/INPUT -j logaccept-1 - inet/filter/OUTPUT -j logaccept-1 - inet/filter/logaccept-1 -j LOG - inet/filter/logaccept-1 -j ACCEPT - inet6/filter/FORWARD -j logaccept-1 - inet6/filter/INPUT -j logaccept-1 - inet6/filter/OUTPUT -j logaccept-1 - inet6/filter/logaccept-1 -j LOG - inet6/filter/logaccept-1 -j TEE --gateway fc00::1 - inet6/filter/logaccept-1 -j ACCEPT - -Filter 11 {"action":"drop","log":"dual"} -(log) - inet/filter/FORWARD -j logdrop-2 - inet/filter/INPUT -j logdrop-2 - inet/filter/OUTPUT -j logdrop-2 - inet/filter/logdrop-2 -j LOG - inet/filter/logdrop-2 -j DROP - inet6/filter/FORWARD -j logdrop-2 - inet6/filter/INPUT -j logdrop-2 - inet6/filter/OUTPUT -j logdrop-2 - inet6/filter/logdrop-2 -j LOG - inet6/filter/logdrop-2 -j TEE --gateway fc00::1 - inet6/filter/logdrop-2 -j DROP - -Filter 12 {"action":"pass","log":"dual"} -(log) - inet/filter/FORWARD -j logpass-1 - inet/filter/INPUT -j logpass-1 - inet/filter/OUTPUT -j logpass-1 - inet/filter/logpass-1 -j LOG - inet6/filter/FORWARD -j logpass-1 - inet6/filter/INPUT -j logpass-1 - inet6/filter/OUTPUT -j logpass-1 - inet6/filter/logpass-1 -j LOG - inet6/filter/logpass-1 -j TEE --gateway fc00::1 - -Filter 13 {"log":"mirror"} -(log) - inet/filter/FORWARD -j logaccept-2 - inet/filter/INPUT -j logaccept-2 - inet/filter/OUTPUT -j logaccept-2 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2 - inet/filter/logaccept-2 -j ACCEPT - inet6/filter/FORWARD -j logaccept-2 - inet6/filter/INPUT -j logaccept-2 - inet6/filter/OUTPUT -j logaccept-2 - inet6/filter/logaccept-2 -j TEE --gateway fc00::2 - inet6/filter/logaccept-2 -j ACCEPT - -Filter 14 {"action":"drop","log":"mirror"} -(log) - inet/filter/FORWARD -j logdrop-3 - inet/filter/INPUT -j logdrop-3 - inet/filter/OUTPUT -j logdrop-3 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2 - inet/filter/logdrop-3 -j DROP - inet6/filter/FORWARD -j logdrop-3 - inet6/filter/INPUT -j logdrop-3 - inet6/filter/OUTPUT -j logdrop-3 - inet6/filter/logdrop-3 -j TEE --gateway fc00::2 - inet6/filter/logdrop-3 -j DROP - -Filter 15 {"action":"pass","log":"mirror"} -(log) - inet/filter/FORWARD -j logpass-2 - inet/filter/INPUT -j logpass-2 - inet/filter/OUTPUT -j logpass-2 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.1 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.2 - inet6/filter/FORWARD -j logpass-2 - inet6/filter/INPUT -j logpass-2 - inet6/filter/OUTPUT -j logpass-2 - inet6/filter/logpass-2 -j TEE --gateway fc00::2 - -Filter 16 {"log":"none"} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 17 {"action":"drop","log":"none"} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 18 {"action":"pass","log":"none"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 19 {"log":"ulog"} -(log) - inet/filter/FORWARD -j logaccept-3 - inet/filter/INPUT -j logaccept-3 - inet/filter/OUTPUT -j logaccept-3 - inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG - inet/filter/logaccept-3 -j ACCEPT - inet6/filter/FORWARD -j logaccept-3 - inet6/filter/INPUT -j logaccept-3 - inet6/filter/OUTPUT -j logaccept-3 - inet6/filter/logaccept-3 -j ACCEPT - -Filter 20 {"action":"drop","log":"ulog"} -(log) - inet/filter/FORWARD -j logdrop-4 - inet/filter/INPUT -j logdrop-4 - inet/filter/OUTPUT -j logdrop-4 - inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG - inet/filter/logdrop-4 -j DROP - inet6/filter/FORWARD -j logdrop-4 - inet6/filter/INPUT -j logdrop-4 - inet6/filter/OUTPUT -j logdrop-4 - inet6/filter/logdrop-4 -j DROP - -Filter 21 {"action":"pass","log":"ulog"} -(log) - inet/filter/FORWARD -j logpass-3 - inet/filter/INPUT -j logpass-3 - inet/filter/OUTPUT -j logpass-3 - inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG - -Filter 22 {"action":"pass","in":"_fw","log":"ulog"} -(log) - inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG - -Filter 23 {"in":"_fw","no-track":true,"service":"http"} -(no-track) - inet/filter/INPUT -p tcp --sport 80 -j ACCEPT - inet/filter/OUTPUT -p tcp --dport 80 -j ACCEPT - inet/raw/OUTPUT -p tcp --dport 80 -j CT --notrack - inet/raw/PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack - inet6/filter/INPUT -p tcp --sport 80 -j ACCEPT - inet6/filter/OUTPUT -p tcp --dport 80 -j ACCEPT - inet6/raw/OUTPUT -p tcp --dport 80 -j CT --notrack - inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack - -Filter 24 {"dest":"172.17.0.0\/16","no-track":true,"service":"radius","src":"172.16.0.0\/16"} -(no-track) - inet/filter/FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT - inet/filter/FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT - inet/filter/FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT - inet/filter/FORWARD -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT - inet/filter/INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT - inet/filter/INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT - inet/filter/INPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT - inet/filter/INPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT - inet/filter/OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT - inet/filter/OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT - inet/filter/OUTPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT - inet/filter/OUTPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT - inet/raw/OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack - inet/raw/OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack - inet/raw/OUTPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack - inet/raw/OUTPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack - inet/raw/PREROUTING -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack - inet/raw/PREROUTING -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack - inet/raw/PREROUTING -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack - inet/raw/PREROUTING -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack - -Filter 25 {"dest":"172.18.0.0\/16","no-track":true,"service":"ssh"} -(no-track) - inet/filter/FORWARD -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT - inet/filter/FORWARD -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT - inet/filter/INPUT -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT - inet/filter/INPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT - inet/filter/OUTPUT -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT - inet/filter/OUTPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT - inet/raw/OUTPUT -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack - inet/raw/OUTPUT -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack - inet/raw/PREROUTING -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack - inet/raw/PREROUTING -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack - -Filter 26 {"no-track":true,"out":"_fw","service":"ipsec"} -(no-track) - inet/filter/INPUT -p esp -j ACCEPT - inet/filter/INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT - inet/filter/OUTPUT -p esp -j ACCEPT - inet/filter/OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT - inet/raw/OUTPUT -p esp -j CT --notrack - inet/raw/OUTPUT -p udp -m multiport --sports 500,4500 -j CT --notrack - inet/raw/PREROUTING -m addrtype --dst-type LOCAL -p esp -j CT --notrack - inet/raw/PREROUTING -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack - inet6/filter/INPUT -p esp -j ACCEPT - inet6/filter/INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT - inet6/filter/OUTPUT -p esp -j ACCEPT - inet6/filter/OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT - inet6/raw/OUTPUT -p esp -j CT --notrack - inet6/raw/OUTPUT -p udp -m multiport --sports 500,4500 -j CT --notrack - inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p esp -j CT --notrack - inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack - -Filter 27 {"in":["_fw","A"]} -(zone) - inet/filter/FORWARD -i eth0 -j ACCEPT - inet/filter/INPUT -i eth0 -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -i eth0 -j ACCEPT - inet6/filter/INPUT -i eth0 -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 28 {"in":"B","out":"C"} -(zone) - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +Filter 1 {"action":"pass","in":"_fw","log":"ulog"} +(log) + inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG + +Filter 2 {"in":"_fw","no-track":true,"service":"http"} +(no-track) + inet/filter/INPUT -p tcp --sport 80 -j ACCEPT + inet/filter/OUTPUT -p tcp --dport 80 -j ACCEPT + inet/raw/OUTPUT -p tcp --dport 80 -j CT --notrack + inet/raw/PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack + inet6/filter/INPUT -p tcp --sport 80 -j ACCEPT + inet6/filter/OUTPUT -p tcp --dport 80 -j ACCEPT + inet6/raw/OUTPUT -p tcp --dport 80 -j CT --notrack + inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack + +Filter 3 {"dest":"172.17.0.0\/16","no-track":true,"service":"radius","src":"172.16.0.0\/16"} +(no-track) + inet/filter/FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT + inet/filter/FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT + inet/filter/FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT + inet/filter/FORWARD -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT + inet/filter/INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT + inet/filter/INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT + inet/filter/INPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT + inet/filter/INPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT + inet/filter/OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT + inet/filter/OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT + inet/filter/OUTPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT + inet/filter/OUTPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT + inet/raw/OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack + inet/raw/OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack + inet/raw/OUTPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack + inet/raw/OUTPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack + inet/raw/PREROUTING -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack + inet/raw/PREROUTING -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack + inet/raw/PREROUTING -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack + inet/raw/PREROUTING -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack + +Filter 4 {"dest":"172.18.0.0\/16","no-track":true,"service":"ssh"} +(no-track) + inet/filter/FORWARD -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT + inet/filter/FORWARD -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT + inet/filter/INPUT -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT + inet/filter/INPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT + inet/filter/OUTPUT -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT + inet/filter/OUTPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT + inet/raw/OUTPUT -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack + inet/raw/OUTPUT -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack + inet/raw/PREROUTING -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack + inet/raw/PREROUTING -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack + +Filter 5 {"no-track":true,"out":"_fw","service":"ipsec"} +(no-track) + inet/filter/INPUT -p esp -j ACCEPT + inet/filter/INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT + inet/filter/OUTPUT -p esp -j ACCEPT + inet/filter/OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT + inet/raw/OUTPUT -p esp -j CT --notrack + inet/raw/OUTPUT -p udp -m multiport --sports 500,4500 -j CT --notrack + inet/raw/PREROUTING -m addrtype --dst-type LOCAL -p esp -j CT --notrack + inet/raw/PREROUTING -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack + inet6/filter/INPUT -p esp -j ACCEPT + inet6/filter/INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT + inet6/filter/OUTPUT -p esp -j ACCEPT + inet6/filter/OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT + inet6/raw/OUTPUT -p esp -j CT --notrack + inet6/raw/OUTPUT -p udp -m multiport --sports 500,4500 -j CT --notrack + inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p esp -j CT --notrack + inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack + +Filter 6 {"in":["_fw","A"]} +(zone) + inet/filter/FORWARD -i eth0 -j ACCEPT + inet/filter/INPUT -i eth0 -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/FORWARD -i eth0 -j ACCEPT + inet6/filter/INPUT -i eth0 -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 7 {"in":"B","out":"C"} +(zone) + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT -Filter 29 {"out":["_fw","B"]} -(zone) - inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT - -Filter 30 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} -(zone) - inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT +Filter 8 {"out":["_fw","B"]} +(zone) + inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT + +Filter 9 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +(zone) + inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT Ipset awall-masquerade {"family":"inet","type":"hash:net"} @@ -747,41 +514,7 @@ hash:net family inet :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT -A FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT -A FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT @@ -845,27 +578,6 @@ hash:net family inet -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -p tcp --sport 80 -j ACCEPT -A INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT -A INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT @@ -880,27 +592,6 @@ hash:net family inet -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -p tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT @@ -917,31 +608,6 @@ hash:net family inet -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] @@ -1004,39 +670,7 @@ COMMIT :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -1068,26 +702,6 @@ COMMIT -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -p tcp --sport 80 -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT @@ -1096,26 +710,6 @@ COMMIT -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 -A OUTPUT -p tcp --dport 80 -j ACCEPT -A OUTPUT -p esp -j ACCEPT -A OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT @@ -1126,28 +720,6 @@ COMMIT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/no-track/rules-save b/test/output/no-track/rules-save index 807fa87..e4c2914 100644 --- a/test/output/no-track/rules-save +++ b/test/output/no-track/rules-save @@ -4,41 +4,7 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT -A FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT -A FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT @@ -102,27 +68,6 @@ -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -p tcp --sport 80 -j ACCEPT -A INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT -A INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT @@ -137,27 +82,6 @@ -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -p tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT @@ -174,31 +98,6 @@ -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] diff --git a/test/output/no-track/rules6-save b/test/output/no-track/rules6-save index f742fd3..75fed77 100644 --- a/test/output/no-track/rules6-save +++ b/test/output/no-track/rules6-save @@ -4,39 +4,7 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -68,26 +36,6 @@ -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -p tcp --sport 80 -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT @@ -96,26 +44,6 @@ -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 -A OUTPUT -p tcp --dport 80 -j ACCEPT -A OUTPUT -p esp -j ACCEPT -A OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT @@ -126,28 +54,6 @@ -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/route-track/dump b/test/output/route-track/dump index 70862d9..01d1004 100644 --- a/test/output/route-track/dump +++ b/test/output/route-track/dump @@ -12,336 +12,103 @@ Dnat 2 {"in":"B"} inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT -Filter 1 {} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 2 {"action":"drop"} -(log) - inet/filter/FORWARD -j logdrop-0 - inet/filter/INPUT -j logdrop-0 - inet/filter/OUTPUT -j logdrop-0 - inet/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet/filter/logdrop-0 -j DROP - inet6/filter/FORWARD -j logdrop-0 - inet6/filter/INPUT -j logdrop-0 - inet6/filter/OUTPUT -j logdrop-0 - inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-0 -j DROP - -Filter 3 {"action":"pass"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 4 {"log":false} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 5 {"action":"drop","log":false} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 6 {"action":"pass","log":false} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 7 {"log":true} -(log) - inet/filter/FORWARD -j logaccept-0 - inet/filter/INPUT -j logaccept-0 - inet/filter/OUTPUT -j logaccept-0 - inet/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet/filter/logaccept-0 -j ACCEPT - inet6/filter/FORWARD -j logaccept-0 - inet6/filter/INPUT -j logaccept-0 - inet6/filter/OUTPUT -j logaccept-0 - inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet6/filter/logaccept-0 -j ACCEPT - -Filter 8 {"action":"drop","log":true} -(log) - inet/filter/FORWARD -j logdrop-1 - inet/filter/INPUT -j logdrop-1 - inet/filter/OUTPUT -j logdrop-1 - inet/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet/filter/logdrop-1 -j DROP - inet6/filter/FORWARD -j logdrop-1 - inet6/filter/INPUT -j logdrop-1 - inet6/filter/OUTPUT -j logdrop-1 - inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-1 -j DROP - -Filter 9 {"action":"pass","log":true} -(log) - inet/filter/FORWARD -j logpass-0 - inet/filter/INPUT -j logpass-0 - inet/filter/OUTPUT -j logpass-0 - inet/filter/logpass-0 -m limit --limit 1/second -j LOG - inet6/filter/FORWARD -j logpass-0 - inet6/filter/INPUT -j logpass-0 - inet6/filter/OUTPUT -j logpass-0 - inet6/filter/logpass-0 -m limit --limit 1/second -j LOG - -Filter 10 {"log":"dual"} -(log) - inet/filter/FORWARD -j logaccept-1 - inet/filter/INPUT -j logaccept-1 - inet/filter/OUTPUT -j logaccept-1 - inet/filter/logaccept-1 -j LOG - inet/filter/logaccept-1 -j ACCEPT - inet6/filter/FORWARD -j logaccept-1 - inet6/filter/INPUT -j logaccept-1 - inet6/filter/OUTPUT -j logaccept-1 - inet6/filter/logaccept-1 -j LOG - inet6/filter/logaccept-1 -j TEE --gateway fc00::1 - inet6/filter/logaccept-1 -j ACCEPT - -Filter 11 {"action":"drop","log":"dual"} -(log) - inet/filter/FORWARD -j logdrop-2 - inet/filter/INPUT -j logdrop-2 - inet/filter/OUTPUT -j logdrop-2 - inet/filter/logdrop-2 -j LOG - inet/filter/logdrop-2 -j DROP - inet6/filter/FORWARD -j logdrop-2 - inet6/filter/INPUT -j logdrop-2 - inet6/filter/OUTPUT -j logdrop-2 - inet6/filter/logdrop-2 -j LOG - inet6/filter/logdrop-2 -j TEE --gateway fc00::1 - inet6/filter/logdrop-2 -j DROP - -Filter 12 {"action":"pass","log":"dual"} -(log) - inet/filter/FORWARD -j logpass-1 - inet/filter/INPUT -j logpass-1 - inet/filter/OUTPUT -j logpass-1 - inet/filter/logpass-1 -j LOG - inet6/filter/FORWARD -j logpass-1 - inet6/filter/INPUT -j logpass-1 - inet6/filter/OUTPUT -j logpass-1 - inet6/filter/logpass-1 -j LOG - inet6/filter/logpass-1 -j TEE --gateway fc00::1 - -Filter 13 {"log":"mirror"} -(log) - inet/filter/FORWARD -j logaccept-2 - inet/filter/INPUT -j logaccept-2 - inet/filter/OUTPUT -j logaccept-2 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2 - inet/filter/logaccept-2 -j ACCEPT - inet6/filter/FORWARD -j logaccept-2 - inet6/filter/INPUT -j logaccept-2 - inet6/filter/OUTPUT -j logaccept-2 - inet6/filter/logaccept-2 -j TEE --gateway fc00::2 - inet6/filter/logaccept-2 -j ACCEPT - -Filter 14 {"action":"drop","log":"mirror"} -(log) - inet/filter/FORWARD -j logdrop-3 - inet/filter/INPUT -j logdrop-3 - inet/filter/OUTPUT -j logdrop-3 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2 - inet/filter/logdrop-3 -j DROP - inet6/filter/FORWARD -j logdrop-3 - inet6/filter/INPUT -j logdrop-3 - inet6/filter/OUTPUT -j logdrop-3 - inet6/filter/logdrop-3 -j TEE --gateway fc00::2 - inet6/filter/logdrop-3 -j DROP - -Filter 15 {"action":"pass","log":"mirror"} -(log) - inet/filter/FORWARD -j logpass-2 - inet/filter/INPUT -j logpass-2 - inet/filter/OUTPUT -j logpass-2 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.1 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.2 - inet6/filter/FORWARD -j logpass-2 - inet6/filter/INPUT -j logpass-2 - inet6/filter/OUTPUT -j logpass-2 - inet6/filter/logpass-2 -j TEE --gateway fc00::2 - -Filter 16 {"log":"none"} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 17 {"action":"drop","log":"none"} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 18 {"action":"pass","log":"none"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 19 {"log":"ulog"} -(log) - inet/filter/FORWARD -j logaccept-3 - inet/filter/INPUT -j logaccept-3 - inet/filter/OUTPUT -j logaccept-3 - inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG - inet/filter/logaccept-3 -j ACCEPT - inet6/filter/FORWARD -j logaccept-3 - inet6/filter/INPUT -j logaccept-3 - inet6/filter/OUTPUT -j logaccept-3 - inet6/filter/logaccept-3 -j ACCEPT - -Filter 20 {"action":"drop","log":"ulog"} -(log) - inet/filter/FORWARD -j logdrop-4 - inet/filter/INPUT -j logdrop-4 - inet/filter/OUTPUT -j logdrop-4 - inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG - inet/filter/logdrop-4 -j DROP - inet6/filter/FORWARD -j logdrop-4 - inet6/filter/INPUT -j logdrop-4 - inet6/filter/OUTPUT -j logdrop-4 - inet6/filter/logdrop-4 -j DROP - -Filter 21 {"action":"pass","log":"ulog"} -(log) - inet/filter/FORWARD -j logpass-3 - inet/filter/INPUT -j logpass-3 - inet/filter/OUTPUT -j logpass-3 - inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG - -Filter 22 {"action":"pass","in":"_fw","log":"ulog"} -(log) - inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG - -Filter 23 {"in":["_fw","A"]} -(zone) - inet/filter/FORWARD -i eth0 -j ACCEPT - inet/filter/INPUT -i eth0 -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -i eth0 -j ACCEPT - inet6/filter/INPUT -i eth0 -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 24 {"in":"B","out":"C"} -(zone) - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +Filter 1 {"action":"pass","in":"_fw","log":"ulog"} +(log) + inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG -Filter 25 {"out":["_fw","B"]} -(zone) - inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT - -Filter 26 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} -(zone) - inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT +Filter 2 {"in":["_fw","A"]} +(zone) + inet/filter/FORWARD -i eth0 -j ACCEPT + inet/filter/INPUT -i eth0 -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/FORWARD -i eth0 -j ACCEPT + inet6/filter/INPUT -i eth0 -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 3 {"in":"B","out":"C"} +(zone) + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + +Filter 4 {"out":["_fw","B"]} +(zone) + inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT + +Filter 5 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +(zone) + inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT Ipset awall-masquerade {"family":"inet","type":"hash:net"} @@ -693,41 +460,7 @@ hash:net family inet :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -785,53 +518,11 @@ hash:net family inet -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -839,31 +530,6 @@ hash:net family inet -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] @@ -914,39 +580,7 @@ COMMIT :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -978,80 +612,18 @@ COMMIT -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/route-track/rules-save b/test/output/route-track/rules-save index 2c3701e..bc09c55 100644 --- a/test/output/route-track/rules-save +++ b/test/output/route-track/rules-save @@ -4,41 +4,7 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -96,53 +62,11 @@ -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -150,31 +74,6 @@ -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] diff --git a/test/output/route-track/rules6-save b/test/output/route-track/rules6-save index cca38f2..e479beb 100644 --- a/test/output/route-track/rules6-save +++ b/test/output/route-track/rules6-save @@ -4,39 +4,7 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -68,80 +36,18 @@ -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/tproxy/dump b/test/output/tproxy/dump index dcff82d..d84b4e1 100644 --- a/test/output/tproxy/dump +++ b/test/output/tproxy/dump @@ -12,336 +12,103 @@ Dnat 2 {"in":"B"} inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT -Filter 1 {} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 2 {"action":"drop"} -(log) - inet/filter/FORWARD -j logdrop-0 - inet/filter/INPUT -j logdrop-0 - inet/filter/OUTPUT -j logdrop-0 - inet/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet/filter/logdrop-0 -j DROP - inet6/filter/FORWARD -j logdrop-0 - inet6/filter/INPUT -j logdrop-0 - inet6/filter/OUTPUT -j logdrop-0 - inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-0 -j DROP - -Filter 3 {"action":"pass"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 4 {"log":false} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 5 {"action":"drop","log":false} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 6 {"action":"pass","log":false} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 7 {"log":true} -(log) - inet/filter/FORWARD -j logaccept-0 - inet/filter/INPUT -j logaccept-0 - inet/filter/OUTPUT -j logaccept-0 - inet/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet/filter/logaccept-0 -j ACCEPT - inet6/filter/FORWARD -j logaccept-0 - inet6/filter/INPUT -j logaccept-0 - inet6/filter/OUTPUT -j logaccept-0 - inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG - inet6/filter/logaccept-0 -j ACCEPT - -Filter 8 {"action":"drop","log":true} -(log) - inet/filter/FORWARD -j logdrop-1 - inet/filter/INPUT -j logdrop-1 - inet/filter/OUTPUT -j logdrop-1 - inet/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet/filter/logdrop-1 -j DROP - inet6/filter/FORWARD -j logdrop-1 - inet6/filter/INPUT -j logdrop-1 - inet6/filter/OUTPUT -j logdrop-1 - inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG - inet6/filter/logdrop-1 -j DROP - -Filter 9 {"action":"pass","log":true} -(log) - inet/filter/FORWARD -j logpass-0 - inet/filter/INPUT -j logpass-0 - inet/filter/OUTPUT -j logpass-0 - inet/filter/logpass-0 -m limit --limit 1/second -j LOG - inet6/filter/FORWARD -j logpass-0 - inet6/filter/INPUT -j logpass-0 - inet6/filter/OUTPUT -j logpass-0 - inet6/filter/logpass-0 -m limit --limit 1/second -j LOG - -Filter 10 {"log":"dual"} -(log) - inet/filter/FORWARD -j logaccept-1 - inet/filter/INPUT -j logaccept-1 - inet/filter/OUTPUT -j logaccept-1 - inet/filter/logaccept-1 -j LOG - inet/filter/logaccept-1 -j ACCEPT - inet6/filter/FORWARD -j logaccept-1 - inet6/filter/INPUT -j logaccept-1 - inet6/filter/OUTPUT -j logaccept-1 - inet6/filter/logaccept-1 -j LOG - inet6/filter/logaccept-1 -j TEE --gateway fc00::1 - inet6/filter/logaccept-1 -j ACCEPT - -Filter 11 {"action":"drop","log":"dual"} -(log) - inet/filter/FORWARD -j logdrop-2 - inet/filter/INPUT -j logdrop-2 - inet/filter/OUTPUT -j logdrop-2 - inet/filter/logdrop-2 -j LOG - inet/filter/logdrop-2 -j DROP - inet6/filter/FORWARD -j logdrop-2 - inet6/filter/INPUT -j logdrop-2 - inet6/filter/OUTPUT -j logdrop-2 - inet6/filter/logdrop-2 -j LOG - inet6/filter/logdrop-2 -j TEE --gateway fc00::1 - inet6/filter/logdrop-2 -j DROP - -Filter 12 {"action":"pass","log":"dual"} -(log) - inet/filter/FORWARD -j logpass-1 - inet/filter/INPUT -j logpass-1 - inet/filter/OUTPUT -j logpass-1 - inet/filter/logpass-1 -j LOG - inet6/filter/FORWARD -j logpass-1 - inet6/filter/INPUT -j logpass-1 - inet6/filter/OUTPUT -j logpass-1 - inet6/filter/logpass-1 -j LOG - inet6/filter/logpass-1 -j TEE --gateway fc00::1 - -Filter 13 {"log":"mirror"} -(log) - inet/filter/FORWARD -j logaccept-2 - inet/filter/INPUT -j logaccept-2 - inet/filter/OUTPUT -j logaccept-2 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.1 - inet/filter/logaccept-2 -j TEE --gateway 10.0.0.2 - inet/filter/logaccept-2 -j ACCEPT - inet6/filter/FORWARD -j logaccept-2 - inet6/filter/INPUT -j logaccept-2 - inet6/filter/OUTPUT -j logaccept-2 - inet6/filter/logaccept-2 -j TEE --gateway fc00::2 - inet6/filter/logaccept-2 -j ACCEPT - -Filter 14 {"action":"drop","log":"mirror"} -(log) - inet/filter/FORWARD -j logdrop-3 - inet/filter/INPUT -j logdrop-3 - inet/filter/OUTPUT -j logdrop-3 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.1 - inet/filter/logdrop-3 -j TEE --gateway 10.0.0.2 - inet/filter/logdrop-3 -j DROP - inet6/filter/FORWARD -j logdrop-3 - inet6/filter/INPUT -j logdrop-3 - inet6/filter/OUTPUT -j logdrop-3 - inet6/filter/logdrop-3 -j TEE --gateway fc00::2 - inet6/filter/logdrop-3 -j DROP - -Filter 15 {"action":"pass","log":"mirror"} -(log) - inet/filter/FORWARD -j logpass-2 - inet/filter/INPUT -j logpass-2 - inet/filter/OUTPUT -j logpass-2 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.1 - inet/filter/logpass-2 -j TEE --gateway 10.0.0.2 - inet6/filter/FORWARD -j logpass-2 - inet6/filter/INPUT -j logpass-2 - inet6/filter/OUTPUT -j logpass-2 - inet6/filter/logpass-2 -j TEE --gateway fc00::2 - -Filter 16 {"log":"none"} -(log) - inet/filter/FORWARD -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 17 {"action":"drop","log":"none"} -(log) - inet/filter/FORWARD -j DROP - inet/filter/INPUT -j DROP - inet/filter/OUTPUT -j DROP - inet6/filter/FORWARD -j DROP - inet6/filter/INPUT -j DROP - inet6/filter/OUTPUT -j DROP - -Filter 18 {"action":"pass","log":"none"} -(log) - inet/filter/FORWARD - inet/filter/INPUT - inet/filter/OUTPUT - inet6/filter/FORWARD - inet6/filter/INPUT - inet6/filter/OUTPUT - -Filter 19 {"log":"ulog"} -(log) - inet/filter/FORWARD -j logaccept-3 - inet/filter/INPUT -j logaccept-3 - inet/filter/OUTPUT -j logaccept-3 - inet/filter/logaccept-3 -m limit --limit 12/minute -j ULOG - inet/filter/logaccept-3 -j ACCEPT - inet6/filter/FORWARD -j logaccept-3 - inet6/filter/INPUT -j logaccept-3 - inet6/filter/OUTPUT -j logaccept-3 - inet6/filter/logaccept-3 -j ACCEPT - -Filter 20 {"action":"drop","log":"ulog"} -(log) - inet/filter/FORWARD -j logdrop-4 - inet/filter/INPUT -j logdrop-4 - inet/filter/OUTPUT -j logdrop-4 - inet/filter/logdrop-4 -m limit --limit 12/minute -j ULOG - inet/filter/logdrop-4 -j DROP - inet6/filter/FORWARD -j logdrop-4 - inet6/filter/INPUT -j logdrop-4 - inet6/filter/OUTPUT -j logdrop-4 - inet6/filter/logdrop-4 -j DROP - -Filter 21 {"action":"pass","log":"ulog"} -(log) - inet/filter/FORWARD -j logpass-3 - inet/filter/INPUT -j logpass-3 - inet/filter/OUTPUT -j logpass-3 - inet/filter/logpass-3 -m limit --limit 12/minute -j ULOG - -Filter 22 {"action":"pass","in":"_fw","log":"ulog"} -(log) - inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG - -Filter 23 {"in":["_fw","A"]} -(zone) - inet/filter/FORWARD -i eth0 -j ACCEPT - inet/filter/INPUT -i eth0 -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -i eth0 -j ACCEPT - inet6/filter/INPUT -i eth0 -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 24 {"in":"B","out":"C"} -(zone) - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +Filter 1 {"action":"pass","in":"_fw","log":"ulog"} +(log) + inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG -Filter 25 {"out":["_fw","B"]} -(zone) - inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT - -Filter 26 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} -(zone) - inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT +Filter 2 {"in":["_fw","A"]} +(zone) + inet/filter/FORWARD -i eth0 -j ACCEPT + inet/filter/INPUT -i eth0 -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/FORWARD -i eth0 -j ACCEPT + inet6/filter/INPUT -i eth0 -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 3 {"in":"B","out":"C"} +(zone) + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + +Filter 4 {"out":["_fw","B"]} +(zone) + inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT + +Filter 5 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +(zone) + inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT Ipset awall-masquerade {"family":"inet","type":"hash:net"} @@ -687,41 +454,7 @@ hash:net family inet :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -779,53 +512,11 @@ hash:net family inet -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -833,31 +524,6 @@ hash:net family inet -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] @@ -907,39 +573,7 @@ COMMIT :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -971,80 +605,18 @@ COMMIT -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] diff --git a/test/output/tproxy/rules-save b/test/output/tproxy/rules-save index a65f2fe..48dd2f4 100644 --- a/test/output/tproxy/rules-save +++ b/test/output/tproxy/rules-save @@ -4,41 +4,7 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -:logpass-3 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 --A FORWARD -j logpass-3 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -96,53 +62,11 @@ -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 --A INPUT -j logpass-3 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT --A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j logpass-3 -A OUTPUT -m limit --limit 12/minute -j ULOG -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT @@ -150,31 +74,6 @@ -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway 10.0.0.1 --A logaccept-2 -j TEE --gateway 10.0.0.2 --A logaccept-2 -j ACCEPT --A logaccept-3 -m limit --limit 12/minute -j ULOG --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway 10.0.0.1 --A logdrop-3 -j TEE --gateway 10.0.0.2 --A logdrop-3 -j DROP --A logdrop-4 -m limit --limit 12/minute -j ULOG --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-2 -j TEE --gateway 10.0.0.1 --A logpass-2 -j TEE --gateway 10.0.0.2 --A logpass-3 -m limit --limit 12/minute -j ULOG COMMIT *mangle :FORWARD ACCEPT [0:0] diff --git a/test/output/tproxy/rules6-save b/test/output/tproxy/rules6-save index 08f7075..e53cbd2 100644 --- a/test/output/tproxy/rules6-save +++ b/test/output/tproxy/rules6-save @@ -4,39 +4,7 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] -:logaccept-0 - [0:0] -:logaccept-1 - [0:0] -:logaccept-2 - [0:0] -:logaccept-3 - [0:0] -:logdrop-0 - [0:0] -:logdrop-1 - [0:0] -:logdrop-2 - [0:0] -:logdrop-3 - [0:0] -:logdrop-4 - [0:0] -:logpass-0 - [0:0] -:logpass-1 - [0:0] -:logpass-2 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT --A FORWARD -j ACCEPT --A FORWARD -j logdrop-0 --A FORWARD --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-0 --A FORWARD -j logdrop-1 --A FORWARD -j logpass-0 --A FORWARD -j logaccept-1 --A FORWARD -j logdrop-2 --A FORWARD -j logpass-1 --A FORWARD -j logaccept-2 --A FORWARD -j logdrop-3 --A FORWARD -j logpass-2 --A FORWARD -j ACCEPT --A FORWARD -j DROP --A FORWARD --A FORWARD -j logaccept-3 --A FORWARD -j logdrop-4 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -68,80 +36,18 @@ -A INPUT -m limit --limit 1/second -j LOG -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -j ACCEPT --A INPUT -j logdrop-0 --A INPUT --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-0 --A INPUT -j logdrop-1 --A INPUT -j logpass-0 --A INPUT -j logaccept-1 --A INPUT -j logdrop-2 --A INPUT -j logpass-1 --A INPUT -j logaccept-2 --A INPUT -j logdrop-3 --A INPUT -j logpass-2 --A INPUT -j ACCEPT --A INPUT -j DROP --A INPUT --A INPUT -j logaccept-3 --A INPUT -j logdrop-4 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT --A OUTPUT -j logdrop-0 --A OUTPUT --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-0 --A OUTPUT -j logdrop-1 --A OUTPUT -j logpass-0 --A OUTPUT -j logaccept-1 --A OUTPUT -j logdrop-2 --A OUTPUT -j logpass-1 --A OUTPUT -j logaccept-2 --A OUTPUT -j logdrop-3 --A OUTPUT -j logpass-2 --A OUTPUT -j ACCEPT --A OUTPUT -j DROP --A OUTPUT --A OUTPUT -j logaccept-3 --A OUTPUT -j logdrop-4 --A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT --A logaccept-0 -m limit --limit 1/second -j LOG --A logaccept-0 -j ACCEPT --A logaccept-1 -j LOG --A logaccept-1 -j TEE --gateway fc00::1 --A logaccept-1 -j ACCEPT --A logaccept-2 -j TEE --gateway fc00::2 --A logaccept-2 -j ACCEPT --A logaccept-3 -j ACCEPT --A logdrop-0 -m limit --limit 1/second -j LOG --A logdrop-0 -j DROP --A logdrop-1 -m limit --limit 1/second -j LOG --A logdrop-1 -j DROP --A logdrop-2 -j LOG --A logdrop-2 -j TEE --gateway fc00::1 --A logdrop-2 -j DROP --A logdrop-3 -j TEE --gateway fc00::2 --A logdrop-3 -j DROP --A logdrop-4 -j DROP --A logpass-0 -m limit --limit 1/second -j LOG --A logpass-1 -j LOG --A logpass-1 -j TEE --gateway fc00::1 --A logpass-2 -j TEE --gateway fc00::2 COMMIT *mangle :INPUT ACCEPT [0:0] |