From 1335ade24e55199069b8ae79e34746a59ae48c01 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 11 Jul 2023 17:00:51 +0200
Subject: tests: shell: cover old scanner bug

Add a test to cover 423abaa40ec4 ("scanner: don't rely on fseek for
input stream repositioning") that fixes the bug described in
https://bugs.gentoo.org/675188.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 .../testcases/parsing/dumps/large_rule_pipe.nft    | 561 ++++++++++++++++++++
 tests/shell/testcases/parsing/large_rule_pipe      | 571 +++++++++++++++++++++
 2 files changed, 1132 insertions(+)
 create mode 100644 tests/shell/testcases/parsing/dumps/large_rule_pipe.nft
 create mode 100755 tests/shell/testcases/parsing/large_rule_pipe

diff --git a/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft b/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft
new file mode 100644
index 00000000..15832752
--- /dev/null
+++ b/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft
@@ -0,0 +1,561 @@
+table ip firewalld {
+	chain nat_PREROUTING {
+		type nat hook prerouting priority dstnat + 10; policy accept;
+		jump nat_PREROUTING_ZONES_SOURCE
+		jump nat_PREROUTING_ZONES
+	}
+
+	chain nat_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_PREROUTING_ZONES {
+		iifname "enp0s25" goto nat_PRE_home
+		goto nat_PRE_public
+	}
+
+	chain nat_POSTROUTING {
+		type nat hook postrouting priority srcnat + 10; policy accept;
+		jump nat_POSTROUTING_ZONES_SOURCE
+		jump nat_POSTROUTING_ZONES
+	}
+
+	chain nat_POSTROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_POSTROUTING_ZONES {
+		oifname "enp0s25" goto nat_POST_home
+		goto nat_POST_public
+	}
+
+	chain nat_PRE_public {
+		jump nat_PRE_public_log
+		jump nat_PRE_public_deny
+		jump nat_PRE_public_allow
+	}
+
+	chain nat_PRE_public_log {
+	}
+
+	chain nat_PRE_public_deny {
+	}
+
+	chain nat_PRE_public_allow {
+	}
+
+	chain nat_POST_public {
+		jump nat_POST_public_log
+		jump nat_POST_public_deny
+		jump nat_POST_public_allow
+	}
+
+	chain nat_POST_public_log {
+	}
+
+	chain nat_POST_public_deny {
+	}
+
+	chain nat_POST_public_allow {
+	}
+
+	chain nat_PRE_home {
+		jump nat_PRE_home_log
+		jump nat_PRE_home_deny
+		jump nat_PRE_home_allow
+	}
+
+	chain nat_PRE_home_log {
+	}
+
+	chain nat_PRE_home_deny {
+	}
+
+	chain nat_PRE_home_allow {
+	}
+
+	chain nat_POST_home {
+		jump nat_POST_home_log
+		jump nat_POST_home_deny
+		jump nat_POST_home_allow
+	}
+
+	chain nat_POST_home_log {
+	}
+
+	chain nat_POST_home_deny {
+	}
+
+	chain nat_POST_home_allow {
+	}
+
+	chain nat_PRE_work {
+		jump nat_PRE_work_log
+		jump nat_PRE_work_deny
+		jump nat_PRE_work_allow
+	}
+
+	chain nat_PRE_work_log {
+	}
+
+	chain nat_PRE_work_deny {
+	}
+
+	chain nat_PRE_work_allow {
+	}
+
+	chain nat_POST_work {
+		jump nat_POST_work_log
+		jump nat_POST_work_deny
+		jump nat_POST_work_allow
+	}
+
+	chain nat_POST_work_log {
+	}
+
+	chain nat_POST_work_deny {
+	}
+
+	chain nat_POST_work_allow {
+	}
+}
+table ip6 firewalld {
+	chain nat_PREROUTING {
+		type nat hook prerouting priority dstnat + 10; policy accept;
+		jump nat_PREROUTING_ZONES_SOURCE
+		jump nat_PREROUTING_ZONES
+	}
+
+	chain nat_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_PREROUTING_ZONES {
+		iifname "enp0s25" goto nat_PRE_home
+		goto nat_PRE_public
+	}
+
+	chain nat_POSTROUTING {
+		type nat hook postrouting priority srcnat + 10; policy accept;
+		jump nat_POSTROUTING_ZONES_SOURCE
+		jump nat_POSTROUTING_ZONES
+	}
+
+	chain nat_POSTROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_POSTROUTING_ZONES {
+		oifname "enp0s25" goto nat_POST_home
+		goto nat_POST_public
+	}
+
+	chain nat_PRE_public {
+		jump nat_PRE_public_log
+		jump nat_PRE_public_deny
+		jump nat_PRE_public_allow
+	}
+
+	chain nat_PRE_public_log {
+	}
+
+	chain nat_PRE_public_deny {
+	}
+
+	chain nat_PRE_public_allow {
+	}
+
+	chain nat_POST_public {
+		jump nat_POST_public_log
+		jump nat_POST_public_deny
+		jump nat_POST_public_allow
+	}
+
+	chain nat_POST_public_log {
+	}
+
+	chain nat_POST_public_deny {
+	}
+
+	chain nat_POST_public_allow {
+	}
+
+	chain nat_PRE_home {
+		jump nat_PRE_home_log
+		jump nat_PRE_home_deny
+		jump nat_PRE_home_allow
+	}
+
+	chain nat_PRE_home_log {
+	}
+
+	chain nat_PRE_home_deny {
+	}
+
+	chain nat_PRE_home_allow {
+	}
+
+	chain nat_POST_home {
+		jump nat_POST_home_log
+		jump nat_POST_home_deny
+		jump nat_POST_home_allow
+	}
+
+	chain nat_POST_home_log {
+	}
+
+	chain nat_POST_home_deny {
+	}
+
+	chain nat_POST_home_allow {
+	}
+
+	chain nat_PRE_work {
+		jump nat_PRE_work_log
+		jump nat_PRE_work_deny
+		jump nat_PRE_work_allow
+	}
+
+	chain nat_PRE_work_log {
+	}
+
+	chain nat_PRE_work_deny {
+	}
+
+	chain nat_PRE_work_allow {
+	}
+
+	chain nat_POST_work {
+		jump nat_POST_work_log
+		jump nat_POST_work_deny
+		jump nat_POST_work_allow
+	}
+
+	chain nat_POST_work_log {
+	}
+
+	chain nat_POST_work_deny {
+	}
+
+	chain nat_POST_work_allow {
+	}
+}
+table inet firewalld {
+	chain raw_PREROUTING {
+		type filter hook prerouting priority raw + 10; policy accept;
+		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+		meta nfproto ipv6 fib saddr . iif oif missing drop
+		jump raw_PREROUTING_ZONES_SOURCE
+		jump raw_PREROUTING_ZONES
+	}
+
+	chain raw_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain raw_PREROUTING_ZONES {
+		iifname "enp0s25" goto raw_PRE_home
+		goto raw_PRE_public
+	}
+
+	chain mangle_PREROUTING {
+		type filter hook prerouting priority mangle + 10; policy accept;
+		jump mangle_PREROUTING_ZONES_SOURCE
+		jump mangle_PREROUTING_ZONES
+	}
+
+	chain mangle_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain mangle_PREROUTING_ZONES {
+		iifname "enp0s25" goto mangle_PRE_home
+		goto mangle_PRE_public
+	}
+
+	chain filter_INPUT {
+		type filter hook input priority filter + 10; policy accept;
+		ct state established,related accept
+		iifname "lo" accept
+		jump filter_INPUT_ZONES_SOURCE
+		jump filter_INPUT_ZONES
+		ct state invalid drop
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_FORWARD {
+		type filter hook forward priority filter + 10; policy accept;
+		ct state established,related accept
+		iifname "lo" accept
+		jump filter_FORWARD_IN_ZONES_SOURCE
+		jump filter_FORWARD_IN_ZONES
+		jump filter_FORWARD_OUT_ZONES_SOURCE
+		jump filter_FORWARD_OUT_ZONES
+		ct state invalid drop
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_INPUT_ZONES_SOURCE {
+	}
+
+	chain filter_INPUT_ZONES {
+		iifname "enp0s25" goto filter_IN_home
+		goto filter_IN_public
+	}
+
+	chain filter_FORWARD_IN_ZONES_SOURCE {
+	}
+
+	chain filter_FORWARD_IN_ZONES {
+		iifname "enp0s25" goto filter_FWDI_home
+		goto filter_FWDI_public
+	}
+
+	chain filter_FORWARD_OUT_ZONES_SOURCE {
+	}
+
+	chain filter_FORWARD_OUT_ZONES {
+		oifname "enp0s25" goto filter_FWDO_home
+		goto filter_FWDO_public
+	}
+
+	chain raw_PRE_public {
+		jump raw_PRE_public_log
+		jump raw_PRE_public_deny
+		jump raw_PRE_public_allow
+	}
+
+	chain raw_PRE_public_log {
+	}
+
+	chain raw_PRE_public_deny {
+	}
+
+	chain raw_PRE_public_allow {
+	}
+
+	chain filter_IN_public {
+		jump filter_IN_public_log
+		jump filter_IN_public_deny
+		jump filter_IN_public_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_public_log {
+	}
+
+	chain filter_IN_public_deny {
+	}
+
+	chain filter_IN_public_allow {
+		tcp dport 22 ct state new,untracked accept
+		ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+	}
+
+	chain filter_FWDI_public {
+		jump filter_FWDI_public_log
+		jump filter_FWDI_public_deny
+		jump filter_FWDI_public_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_public_log {
+	}
+
+	chain filter_FWDI_public_deny {
+	}
+
+	chain filter_FWDI_public_allow {
+	}
+
+	chain mangle_PRE_public {
+		jump mangle_PRE_public_log
+		jump mangle_PRE_public_deny
+		jump mangle_PRE_public_allow
+	}
+
+	chain mangle_PRE_public_log {
+	}
+
+	chain mangle_PRE_public_deny {
+	}
+
+	chain mangle_PRE_public_allow {
+	}
+
+	chain filter_FWDO_public {
+		jump filter_FWDO_public_log
+		jump filter_FWDO_public_deny
+		jump filter_FWDO_public_allow
+	}
+
+	chain filter_FWDO_public_log {
+	}
+
+	chain filter_FWDO_public_deny {
+	}
+
+	chain filter_FWDO_public_allow {
+	}
+
+	chain raw_PRE_home {
+		jump raw_PRE_home_log
+		jump raw_PRE_home_deny
+		jump raw_PRE_home_allow
+	}
+
+	chain raw_PRE_home_log {
+	}
+
+	chain raw_PRE_home_deny {
+	}
+
+	chain raw_PRE_home_allow {
+		udp dport 137 ct helper "netbios-ns"
+	}
+
+	chain filter_IN_home {
+		jump filter_IN_home_log
+		jump filter_IN_home_deny
+		jump filter_IN_home_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_home_log {
+	}
+
+	chain filter_IN_home_deny {
+	}
+
+	chain filter_IN_home_allow {
+		tcp dport 22 ct state new,untracked accept
+		ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
+		ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
+		udp dport 1714-1764 ct state new,untracked accept
+		tcp dport 1714-1764 ct state new,untracked accept
+		ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+		udp dport 137 ct state new,untracked accept
+		udp dport 138 ct state new,untracked accept
+		tcp dport 139 ct state new,untracked accept
+		tcp dport 445 ct state new,untracked accept
+	}
+
+	chain filter_FWDI_home {
+		jump filter_FWDI_home_log
+		jump filter_FWDI_home_deny
+		jump filter_FWDI_home_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_home_log {
+	}
+
+	chain filter_FWDI_home_deny {
+	}
+
+	chain filter_FWDI_home_allow {
+	}
+
+	chain mangle_PRE_home {
+		jump mangle_PRE_home_log
+		jump mangle_PRE_home_deny
+		jump mangle_PRE_home_allow
+	}
+
+	chain mangle_PRE_home_log {
+	}
+
+	chain mangle_PRE_home_deny {
+	}
+
+	chain mangle_PRE_home_allow {
+	}
+
+	chain filter_FWDO_home {
+		jump filter_FWDO_home_log
+		jump filter_FWDO_home_deny
+		jump filter_FWDO_home_allow
+	}
+
+	chain filter_FWDO_home_log {
+	}
+
+	chain filter_FWDO_home_deny {
+	}
+
+	chain filter_FWDO_home_allow {
+	}
+
+	chain raw_PRE_work {
+		jump raw_PRE_work_log
+		jump raw_PRE_work_deny
+		jump raw_PRE_work_allow
+	}
+
+	chain raw_PRE_work_log {
+	}
+
+	chain raw_PRE_work_deny {
+	}
+
+	chain raw_PRE_work_allow {
+	}
+
+	chain filter_IN_work {
+		jump filter_IN_work_log
+		jump filter_IN_work_deny
+		jump filter_IN_work_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_work_log {
+	}
+
+	chain filter_IN_work_deny {
+	}
+
+	chain filter_IN_work_allow {
+		tcp dport 22 ct state new,untracked accept
+		ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+	}
+
+	chain filter_FWDI_work {
+		jump filter_FWDI_work_log
+		jump filter_FWDI_work_deny
+		jump filter_FWDI_work_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_work_log {
+	}
+
+	chain filter_FWDI_work_deny {
+	}
+
+	chain filter_FWDI_work_allow {
+	}
+
+	chain mangle_PRE_work {
+		jump mangle_PRE_work_log
+		jump mangle_PRE_work_deny
+		jump mangle_PRE_work_allow
+	}
+
+	chain mangle_PRE_work_log {
+	}
+
+	chain mangle_PRE_work_deny {
+	}
+
+	chain mangle_PRE_work_allow {
+	}
+
+	chain filter_FWDO_work {
+		jump filter_FWDO_work_log
+		jump filter_FWDO_work_deny
+		jump filter_FWDO_work_allow
+	}
+
+	chain filter_FWDO_work_log {
+	}
+
+	chain filter_FWDO_work_deny {
+	}
+
+	chain filter_FWDO_work_allow {
+	}
+}
diff --git a/tests/shell/testcases/parsing/large_rule_pipe b/tests/shell/testcases/parsing/large_rule_pipe
new file mode 100755
index 00000000..fac0afaa
--- /dev/null
+++ b/tests/shell/testcases/parsing/large_rule_pipe
@@ -0,0 +1,571 @@
+#!/bin/bash
+
+set -e
+
+RULESET="#!/sbin/nft -f
+flush ruleset;
+table ip firewalld {
+	chain nat_PREROUTING {
+		type nat hook prerouting priority -90; policy accept;
+		jump nat_PREROUTING_ZONES_SOURCE
+		jump nat_PREROUTING_ZONES
+	}
+
+	chain nat_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_PREROUTING_ZONES {
+		iifname "enp0s25" goto nat_PRE_home
+		goto nat_PRE_public
+	}
+
+	chain nat_POSTROUTING {
+		type nat hook postrouting priority 110; policy accept;
+		jump nat_POSTROUTING_ZONES_SOURCE
+		jump nat_POSTROUTING_ZONES
+	}
+
+	chain nat_POSTROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_POSTROUTING_ZONES {
+		oifname "enp0s25" goto nat_POST_home
+		goto nat_POST_public
+	}
+
+	chain nat_PRE_public {
+		jump nat_PRE_public_log
+		jump nat_PRE_public_deny
+		jump nat_PRE_public_allow
+	}
+
+	chain nat_PRE_public_log {
+	}
+
+	chain nat_PRE_public_deny {
+	}
+
+	chain nat_PRE_public_allow {
+	}
+
+	chain nat_POST_public {
+		jump nat_POST_public_log
+		jump nat_POST_public_deny
+		jump nat_POST_public_allow
+	}
+
+	chain nat_POST_public_log {
+	}
+
+	chain nat_POST_public_deny {
+	}
+
+	chain nat_POST_public_allow {
+	}
+
+	chain nat_PRE_home {
+		jump nat_PRE_home_log
+		jump nat_PRE_home_deny
+		jump nat_PRE_home_allow
+	}
+
+	chain nat_PRE_home_log {
+	}
+
+	chain nat_PRE_home_deny {
+	}
+
+	chain nat_PRE_home_allow {
+	}
+
+	chain nat_POST_home {
+		jump nat_POST_home_log
+		jump nat_POST_home_deny
+		jump nat_POST_home_allow
+	}
+
+	chain nat_POST_home_log {
+	}
+
+	chain nat_POST_home_deny {
+	}
+
+	chain nat_POST_home_allow {
+	}
+
+	chain nat_PRE_work {
+		jump nat_PRE_work_log
+		jump nat_PRE_work_deny
+		jump nat_PRE_work_allow
+	}
+
+	chain nat_PRE_work_log {
+	}
+
+	chain nat_PRE_work_deny {
+	}
+
+	chain nat_PRE_work_allow {
+	}
+
+	chain nat_POST_work {
+		jump nat_POST_work_log
+		jump nat_POST_work_deny
+		jump nat_POST_work_allow
+	}
+
+	chain nat_POST_work_log {
+	}
+
+	chain nat_POST_work_deny {
+	}
+
+	chain nat_POST_work_allow {
+	}
+}
+table ip6 firewalld {
+	chain nat_PREROUTING {
+		type nat hook prerouting priority -90; policy accept;
+		jump nat_PREROUTING_ZONES_SOURCE
+		jump nat_PREROUTING_ZONES
+	}
+
+	chain nat_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_PREROUTING_ZONES {
+		iifname "enp0s25" goto nat_PRE_home
+		goto nat_PRE_public
+	}
+
+	chain nat_POSTROUTING {
+		type nat hook postrouting priority 110; policy accept;
+		jump nat_POSTROUTING_ZONES_SOURCE
+		jump nat_POSTROUTING_ZONES
+	}
+
+	chain nat_POSTROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_POSTROUTING_ZONES {
+		oifname "enp0s25" goto nat_POST_home
+		goto nat_POST_public
+	}
+
+	chain nat_PRE_public {
+		jump nat_PRE_public_log
+		jump nat_PRE_public_deny
+		jump nat_PRE_public_allow
+	}
+
+	chain nat_PRE_public_log {
+	}
+
+	chain nat_PRE_public_deny {
+	}
+
+	chain nat_PRE_public_allow {
+	}
+
+	chain nat_POST_public {
+		jump nat_POST_public_log
+		jump nat_POST_public_deny
+		jump nat_POST_public_allow
+	}
+
+	chain nat_POST_public_log {
+	}
+
+	chain nat_POST_public_deny {
+	}
+
+	chain nat_POST_public_allow {
+	}
+
+	chain nat_PRE_home {
+		jump nat_PRE_home_log
+		jump nat_PRE_home_deny
+		jump nat_PRE_home_allow
+	}
+
+	chain nat_PRE_home_log {
+	}
+
+	chain nat_PRE_home_deny {
+	}
+
+	chain nat_PRE_home_allow {
+	}
+
+	chain nat_POST_home {
+		jump nat_POST_home_log
+		jump nat_POST_home_deny
+		jump nat_POST_home_allow
+	}
+
+	chain nat_POST_home_log {
+	}
+
+	chain nat_POST_home_deny {
+	}
+
+	chain nat_POST_home_allow {
+	}
+
+	chain nat_PRE_work {
+		jump nat_PRE_work_log
+		jump nat_PRE_work_deny
+		jump nat_PRE_work_allow
+	}
+
+	chain nat_PRE_work_log {
+	}
+
+	chain nat_PRE_work_deny {
+	}
+
+	chain nat_PRE_work_allow {
+	}
+
+	chain nat_POST_work {
+		jump nat_POST_work_log
+		jump nat_POST_work_deny
+		jump nat_POST_work_allow
+	}
+
+	chain nat_POST_work_log {
+	}
+
+	chain nat_POST_work_deny {
+	}
+
+	chain nat_POST_work_allow {
+	}
+}
+table inet firewalld {
+	chain raw_PREROUTING {
+		type filter hook prerouting priority -290; policy accept;
+		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+		meta nfproto ipv6 fib saddr . iif oif missing drop
+		jump raw_PREROUTING_ZONES_SOURCE
+		jump raw_PREROUTING_ZONES
+	}
+
+	chain raw_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain raw_PREROUTING_ZONES {
+		iifname "enp0s25" goto raw_PRE_home
+		goto raw_PRE_public
+	}
+
+	chain mangle_PREROUTING {
+		type filter hook prerouting priority -140; policy accept;
+		jump mangle_PREROUTING_ZONES_SOURCE
+		jump mangle_PREROUTING_ZONES
+	}
+
+	chain mangle_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain mangle_PREROUTING_ZONES {
+		iifname "enp0s25" goto mangle_PRE_home
+		goto mangle_PRE_public
+	}
+
+	chain filter_INPUT {
+		type filter hook input priority 10; policy accept;
+		ct state established,related accept
+		iifname "lo" accept
+		jump filter_INPUT_ZONES_SOURCE
+		jump filter_INPUT_ZONES
+		ct state invalid drop
+		reject with icmpx type admin-prohibited
+	}
+
+	chain filter_FORWARD {
+		type filter hook forward priority 10; policy accept;
+		ct state established,related accept
+		iifname "lo" accept
+		jump filter_FORWARD_IN_ZONES_SOURCE
+		jump filter_FORWARD_IN_ZONES
+		jump filter_FORWARD_OUT_ZONES_SOURCE
+		jump filter_FORWARD_OUT_ZONES
+		ct state invalid drop
+		reject with icmpx type admin-prohibited
+	}
+
+	chain filter_INPUT_ZONES_SOURCE {
+	}
+
+	chain filter_INPUT_ZONES {
+		iifname "enp0s25" goto filter_IN_home
+		goto filter_IN_public
+	}
+
+	chain filter_FORWARD_IN_ZONES_SOURCE {
+	}
+
+	chain filter_FORWARD_IN_ZONES {
+		iifname "enp0s25" goto filter_FWDI_home
+		goto filter_FWDI_public
+	}
+
+	chain filter_FORWARD_OUT_ZONES_SOURCE {
+	}
+
+	chain filter_FORWARD_OUT_ZONES {
+		oifname "enp0s25" goto filter_FWDO_home
+		goto filter_FWDO_public
+	}
+
+	chain raw_PRE_public {
+		jump raw_PRE_public_log
+		jump raw_PRE_public_deny
+		jump raw_PRE_public_allow
+	}
+
+	chain raw_PRE_public_log {
+	}
+
+	chain raw_PRE_public_deny {
+	}
+
+	chain raw_PRE_public_allow {
+	}
+
+	chain filter_IN_public {
+		jump filter_IN_public_log
+		jump filter_IN_public_deny
+		jump filter_IN_public_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_public_log {
+	}
+
+	chain filter_IN_public_deny {
+	}
+
+	chain filter_IN_public_allow {
+		tcp dport ssh ct state new,untracked accept
+		ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
+	}
+
+	chain filter_FWDI_public {
+		jump filter_FWDI_public_log
+		jump filter_FWDI_public_deny
+		jump filter_FWDI_public_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_public_log {
+	}
+
+	chain filter_FWDI_public_deny {
+	}
+
+	chain filter_FWDI_public_allow {
+	}
+
+	chain mangle_PRE_public {
+		jump mangle_PRE_public_log
+		jump mangle_PRE_public_deny
+		jump mangle_PRE_public_allow
+	}
+
+	chain mangle_PRE_public_log {
+	}
+
+	chain mangle_PRE_public_deny {
+	}
+
+	chain mangle_PRE_public_allow {
+	}
+
+	chain filter_FWDO_public {
+		jump filter_FWDO_public_log
+		jump filter_FWDO_public_deny
+		jump filter_FWDO_public_allow
+	}
+
+	chain filter_FWDO_public_log {
+	}
+
+	chain filter_FWDO_public_deny {
+	}
+
+	chain filter_FWDO_public_allow {
+	}
+
+	chain raw_PRE_home {
+		jump raw_PRE_home_log
+		jump raw_PRE_home_deny
+		jump raw_PRE_home_allow
+	}
+
+	chain raw_PRE_home_log {
+	}
+
+	chain raw_PRE_home_deny {
+	}
+
+	chain raw_PRE_home_allow {
+		udp dport netbios-ns ct helper "netbios-ns"
+	}
+
+	chain filter_IN_home {
+		jump filter_IN_home_log
+		jump filter_IN_home_deny
+		jump filter_IN_home_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_home_log {
+	}
+
+	chain filter_IN_home_deny {
+	}
+
+	chain filter_IN_home_allow {
+		tcp dport ssh ct state new,untracked accept
+		ip daddr 224.0.0.251 udp dport mdns ct state new,untracked accept
+		ip6 daddr ff02::fb udp dport mdns ct state new,untracked accept
+		udp dport 1714-1764 ct state new,untracked accept
+		tcp dport 1714-1764 ct state new,untracked accept
+		ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
+		udp dport netbios-ns ct state new,untracked accept
+		udp dport netbios-dgm ct state new,untracked accept
+		tcp dport netbios-ssn ct state new,untracked accept
+		tcp dport microsoft-ds ct state new,untracked accept
+	}
+
+	chain filter_FWDI_home {
+		jump filter_FWDI_home_log
+		jump filter_FWDI_home_deny
+		jump filter_FWDI_home_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_home_log {
+	}
+
+	chain filter_FWDI_home_deny {
+	}
+
+	chain filter_FWDI_home_allow {
+	}
+
+	chain mangle_PRE_home {
+		jump mangle_PRE_home_log
+		jump mangle_PRE_home_deny
+		jump mangle_PRE_home_allow
+	}
+
+	chain mangle_PRE_home_log {
+	}
+
+	chain mangle_PRE_home_deny {
+	}
+
+	chain mangle_PRE_home_allow {
+	}
+
+	chain filter_FWDO_home {
+		jump filter_FWDO_home_log
+		jump filter_FWDO_home_deny
+		jump filter_FWDO_home_allow
+	}
+
+	chain filter_FWDO_home_log {
+	}
+
+	chain filter_FWDO_home_deny {
+	}
+
+	chain filter_FWDO_home_allow {
+	}
+
+	chain raw_PRE_work {
+		jump raw_PRE_work_log
+		jump raw_PRE_work_deny
+		jump raw_PRE_work_allow
+	}
+
+	chain raw_PRE_work_log {
+	}
+
+	chain raw_PRE_work_deny {
+	}
+
+	chain raw_PRE_work_allow {
+	}
+
+	chain filter_IN_work {
+		jump filter_IN_work_log
+		jump filter_IN_work_deny
+		jump filter_IN_work_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_work_log {
+	}
+
+	chain filter_IN_work_deny {
+	}
+
+	chain filter_IN_work_allow {
+		tcp dport ssh ct state new,untracked accept
+		ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
+	}
+
+	chain filter_FWDI_work {
+		jump filter_FWDI_work_log
+		jump filter_FWDI_work_deny
+		jump filter_FWDI_work_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_work_log {
+	}
+
+	chain filter_FWDI_work_deny {
+	}
+
+	chain filter_FWDI_work_allow {
+	}
+
+	chain mangle_PRE_work {
+		jump mangle_PRE_work_log
+		jump mangle_PRE_work_deny
+		jump mangle_PRE_work_allow
+	}
+
+	chain mangle_PRE_work_log {
+	}
+
+	chain mangle_PRE_work_deny {
+	}
+
+	chain mangle_PRE_work_allow {
+	}
+
+	chain filter_FWDO_work {
+		jump filter_FWDO_work_log
+		jump filter_FWDO_work_deny
+		jump filter_FWDO_work_allow
+	}
+
+	chain filter_FWDO_work_log {
+	}
+
+	chain filter_FWDO_work_deny {
+	}
+
+	chain filter_FWDO_work_allow {
+	}
+}"
+
+( echo "flush ruleset;"; echo "${RULESET}" ) | nft -f -
+
+exit 0
-- 
cgit v1.2.3