aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README.md21
-rwxr-xr-xawall-cli15
-rw-r--r--awall/init.lua26
-rw-r--r--awall/iptables.lua57
-rw-r--r--mandatory/defaults.json2
-rw-r--r--test/optional/dedicated.json1
-rw-r--r--test/output/address/dump7
-rw-r--r--test/output/custom/dump7
-rw-r--r--test/output/dedicated/dump1076
-rw-r--r--test/output/dedicated/ipset-awall-masquerade2
-rw-r--r--test/output/dedicated/rules-save241
-rw-r--r--test/output/dedicated/rules6-save181
-rw-r--r--test/output/filter-dnat/dump7
-rw-r--r--test/output/filter-limit/dump7
-rw-r--r--test/output/filter/dump7
-rw-r--r--test/output/no-track/dump7
-rw-r--r--test/output/route-track/dump7
-rw-r--r--test/output/tproxy/dump7
18 files changed, 1649 insertions, 29 deletions
diff --git a/README.md b/README.md
index 38d2012..44becd6 100644
--- a/README.md
+++ b/README.md
@@ -631,6 +631,17 @@ customized chain, using the **custom:** prefix. It is also possible to
constrain each rule to IPv4 or IPv6 only by defining the **family**
attribute as **inet** or **inet6**, respectively.
+## <a name="dedicated">Co-Existence with Other Firewall Management Tools
+
+If awall is used on a host running other software that manipulates
+iptables rules, it is recommended to set the
+**awall_dedicated_chains** variable to **true**, which will have the
+following effects:
+
+* Awall installs its own rules to dedicated chains prefixed with
+ **awall-**.
+* Activation of awall rules leaves any unrelated rule intact.
+
## Command Line Syntax
### Translating Policy Files to Firewall Configuration Files
@@ -656,9 +667,15 @@ the Return key within 10 seconds or the `--force` option is used, the
configuration is saved to the files. Otherwise, the old configuration
is restored.
- **awall flush**
+ **awall flush** \[**-a** | **--all**\]
+
+Normally, this command deletes all firewall rules and configures it to
+drop all packets.
-This command configures the firewall to drop all packets.
+If awall is configured to [co-exist with other firewall management
+tools](#dedicated), this command flushes only the rules installed by
+awall. Specifying `--all` overrides this behavior and causes all rules
+to be flushed.
### Optional Policies
diff --git a/awall-cli b/awall-cli
index 8b48e1b..57c0cc0 100755
--- a/awall-cli
+++ b/awall-cli
@@ -49,10 +49,15 @@ Run-time activation of new firewall configuration:
configuration is restored.
Flush firewall configuration:
- awall flush
+ awall flush [-a|--all]
- This command deletes all firewall rules and configures it to drop
- all packets.
+ Normally, this command deletes all firewall rules and configures
+ it to drop all packets.
+
+ If awall is configured to co-exist with other firewall management
+ tools, this command flushes only the rules installed by awall.
+ Specifying --all overrides this behavior and causes all rules to
+ be flushed.
Enable/disable optional policies:
awall {enable|disable} <policy>...
@@ -428,7 +433,9 @@ if not call(
end
- elseif mode == 'flush' then iptables.flush()
+ elseif mode == 'flush' then
+ if all then iptables.flush()
+ else config:flush() end
else assert(false) end
diff --git a/awall/init.lua b/awall/init.lua
index 605099b..2e77fe2 100644
--- a/awall/init.lua
+++ b/awall/init.lua
@@ -10,7 +10,7 @@ local M = {}
local class = require('awall.class')
local resolve = require('awall.dependency')
local IPSet = require('awall.ipset')
-local IPTables = require('awall.iptables').IPTables
+local iptables = require('awall.iptables')
local combinations = require('awall.optfrag').combinations
M.PolicySet = require('awall.policy')
@@ -78,13 +78,19 @@ M.Config = class()
function M.Config:init(policyconfig)
self.objects = policyconfig:expand()
- self.iptables = IPTables()
+
+ local dedicated = self.objects.variable.awall_dedicated_chains
+ self.iptables = dedicated and iptables.PartialIPTables() or
+ iptables.IPTables()
+ self.prefix = dedicated and 'awall-' or ''
local actions = {}
local function insertrules(trules, obj)
for _, trule in ipairs(trules) do
- local t = self.iptables.config[trule.family][trule.table][trule.chain]
+ local t = self.iptables.config[trule.family][trule.table][
+ self.prefix..trule.chain
+ ]
local opts = self:ofragcmd(trule)
if trule.target then
@@ -150,11 +156,17 @@ function M.Config:init(policyconfig)
self.ipset = IPSet(self.objects.ipset)
end
-function M.Config:ofragloc(of) return of.family..'/'..of.table..'/'..of.chain end
+function M.Config:ofragloc(of)
+ return of.family..'/'..of.table..'/'..self.prefix..of.chain
+end
function M.Config:ofragcmd(of)
- return (of.match and of.match..' ' or '')..
- (of.target and '-j '..of.target or '')
+ local target = ''
+ if of.target then
+ target = '-j '..(util.startswithupper(of.target) and '' or self.prefix)..
+ of.target
+ end
+ return (of.match and of.match..' ' or '')..target
end
function M.Config:print()
@@ -178,5 +190,7 @@ function M.Config:activate()
self.iptables:activate()
end
+function M.Config:flush() self.iptables:flush() end
+
return M
diff --git a/awall/iptables.lua b/awall/iptables.lua
index 67ad84c..c6d429a 100644
--- a/awall/iptables.lua
+++ b/awall/iptables.lua
@@ -16,6 +16,7 @@ local sortedkeys = util.sortedkeys
local lpc = require('lpc')
local posix = require('posix')
+local stringy = require('stringy')
local M = {}
@@ -141,6 +142,62 @@ function M.IPTables:dumpfile(family, iptfile)
end
+M.PartialIPTables = class(M.IPTables)
+
+function M.PartialIPTables:restorecmd(family, test)
+ local cmd = {M.PartialIPTables.super(self):restorecmd(family, test)}
+ table.insert(cmd, '-n')
+ return table.unpack(cmd)
+end
+
+function M.PartialIPTables:dumpfile(family, iptfile)
+ local tables = self.config[family]
+ for tbl, chains in pairs(tables) do
+ local builtins = {}
+ for chain, _ in pairs(chains) do
+ if stringy.startswith(chain, 'awall-') then
+ local base = chain:sub(7, -1)
+ if M.isbuiltin(tbl, base) then table.insert(builtins, base) end
+ end
+ end
+ for _, chain in ipairs(builtins) do
+ chains[chain] = {'-j awall-'..chain}
+ end
+ end
+ M.PartialIPTables.super(self):dumpfile(family, iptfile)
+end
+
+function M.PartialIPTables:flush()
+ for _, family in ipairs(actfamilies()) do
+ local cmd = families[family].cmd
+ for tbl, _ in pairs(builtin) do
+ local pid, stdin, stdout = lpc.run(cmd, '-t', tbl, '-S')
+ stdin:close()
+ local chains = {}
+ local rules = {}
+ for line in stdout:lines() do
+ if stringy.startswith(line, '-N awall-') then
+ table.insert(chains, line:sub(4, -1))
+ else
+ local chain, target = line:match('^%-A (%u+) %-j (awall%-%u+)$')
+ if chain then table.insert(rules, {chain, '-j', target}) end
+ end
+ end
+ stdout:close()
+ assert(lpc.wait(pid) == 0)
+
+ local function exec(...)
+ assert(util.execute(cmd, '-t', tbl, table.unpack{...}) == 0)
+ end
+ for _, rule in ipairs(rules) do exec('-D', table.unpack(rule)) end
+ for _, opt in ipairs{'-F', '-X'} do
+ for _, chain in ipairs(chains) do exec(opt, chain) end
+ end
+ end
+ end
+end
+
+
local Current = class(BaseIPTables)
function Current:dumpfile(family, iptfile)
diff --git a/mandatory/defaults.json b/mandatory/defaults.json
index b0e1082..f9b289d 100644
--- a/mandatory/defaults.json
+++ b/mandatory/defaults.json
@@ -1,5 +1,5 @@
{
"before": "%defaults",
- "variable": { "awall_tproxy_mark": 1 },
+ "variable": { "awall_dedicated_chains": false, "awall_tproxy_mark": 1 },
"log": { "_default": { "limit": 1 } }
}
diff --git a/test/optional/dedicated.json b/test/optional/dedicated.json
new file mode 100644
index 0000000..d9085bd
--- /dev/null
+++ b/test/optional/dedicated.json
@@ -0,0 +1 @@
+{ "variable": { "awall_dedicated_chains": true } }
diff --git a/test/output/address/dump b/test/output/address/dump
index 0e70dcf..9f973a8 100644
--- a/test/output/address/dump
+++ b/test/output/address/dump
@@ -8345,8 +8345,11 @@ Snat 1 {"out":["_fw","B"]}
inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
-Variable awall_tproxy_mark 1
-(defaults)
+Variable awall_dedicated_chains false
+(defaults)
+
+Variable awall_tproxy_mark 1
+(defaults)
Zone A {"iface":"eth0"}
diff --git a/test/output/custom/dump b/test/output/custom/dump
index 32f35dd..d303215 100644
--- a/test/output/custom/dump
+++ b/test/output/custom/dump
@@ -642,8 +642,11 @@ Snat 1 {"out":["_fw","B"]}
inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
-Variable awall_tproxy_mark 1
-(defaults)
+Variable awall_dedicated_chains false
+(defaults)
+
+Variable awall_tproxy_mark 1
+(defaults)
Zone A {"iface":"eth0"}
diff --git a/test/output/dedicated/dump b/test/output/dedicated/dump
new file mode 100644
index 0000000..8c8530a
--- /dev/null
+++ b/test/output/dedicated/dump
@@ -0,0 +1,1076 @@
+Custom foo [{"family":"inet6","match":"-m hl --hl-lt 7","target":"REJECT --reject-with icmpv6-no-route"},{"target":"LED --led-trigger-id foo"}]
+(custom-chain)
+
+
+Dnat 1 {"in":["_fw","A"]}
+(zone)
+ inet/nat/awall-OUTPUT -j REDIRECT
+ inet/nat/awall-PREROUTING -i eth0 -j REDIRECT
+
+Dnat 2 {"in":"B"}
+(zone)
+ inet/nat/awall-PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
+
+
+Filter 1 {}
+(log)
+ inet/filter/awall-FORWARD -j ACCEPT
+ inet/filter/awall-INPUT -j ACCEPT
+ inet/filter/awall-OUTPUT -j ACCEPT
+ inet6/filter/awall-FORWARD -j ACCEPT
+ inet6/filter/awall-INPUT -j ACCEPT
+ inet6/filter/awall-OUTPUT -j ACCEPT
+
+Filter 2 {"action":"drop"}
+(log)
+ inet/filter/awall-FORWARD -j awall-logdrop-0
+ inet/filter/awall-INPUT -j awall-logdrop-0
+ inet/filter/awall-OUTPUT -j awall-logdrop-0
+ inet/filter/awall-logdrop-0 -m limit --limit 1/second -j LOG
+ inet/filter/awall-logdrop-0 -j DROP
+ inet6/filter/awall-FORWARD -j awall-logdrop-0
+ inet6/filter/awall-INPUT -j awall-logdrop-0
+ inet6/filter/awall-OUTPUT -j awall-logdrop-0
+ inet6/filter/awall-logdrop-0 -m limit --limit 1/second -j LOG
+ inet6/filter/awall-logdrop-0 -j DROP
+
+Filter 3 {"action":"pass"}
+(log)
+ inet/filter/awall-FORWARD
+ inet/filter/awall-INPUT
+ inet/filter/awall-OUTPUT
+ inet6/filter/awall-FORWARD
+ inet6/filter/awall-INPUT
+ inet6/filter/awall-OUTPUT
+
+Filter 4 {"log":false}
+(log)
+ inet/filter/awall-FORWARD -j ACCEPT
+ inet/filter/awall-INPUT -j ACCEPT
+ inet/filter/awall-OUTPUT -j ACCEPT
+ inet6/filter/awall-FORWARD -j ACCEPT
+ inet6/filter/awall-INPUT -j ACCEPT
+ inet6/filter/awall-OUTPUT -j ACCEPT
+
+Filter 5 {"action":"drop","log":false}
+(log)
+ inet/filter/awall-FORWARD -j DROP
+ inet/filter/awall-INPUT -j DROP
+ inet/filter/awall-OUTPUT -j DROP
+ inet6/filter/awall-FORWARD -j DROP
+ inet6/filter/awall-INPUT -j DROP
+ inet6/filter/awall-OUTPUT -j DROP
+
+Filter 6 {"action":"pass","log":false}
+(log)
+ inet/filter/awall-FORWARD
+ inet/filter/awall-INPUT
+ inet/filter/awall-OUTPUT
+ inet6/filter/awall-FORWARD
+ inet6/filter/awall-INPUT
+ inet6/filter/awall-OUTPUT
+
+Filter 7 {"log":true}
+(log)
+ inet/filter/awall-FORWARD -j awall-logaccept-0
+ inet/filter/awall-INPUT -j awall-logaccept-0
+ inet/filter/awall-OUTPUT -j awall-logaccept-0
+ inet/filter/awall-logaccept-0 -m limit --limit 1/second -j LOG
+ inet/filter/awall-logaccept-0 -j ACCEPT
+ inet6/filter/awall-FORWARD -j awall-logaccept-0
+ inet6/filter/awall-INPUT -j awall-logaccept-0
+ inet6/filter/awall-OUTPUT -j awall-logaccept-0
+ inet6/filter/awall-logaccept-0 -m limit --limit 1/second -j LOG
+ inet6/filter/awall-logaccept-0 -j ACCEPT
+
+Filter 8 {"action":"drop","log":true}
+(log)
+ inet/filter/awall-FORWARD -j awall-logdrop-1
+ inet/filter/awall-INPUT -j awall-logdrop-1
+ inet/filter/awall-OUTPUT -j awall-logdrop-1
+ inet/filter/awall-logdrop-1 -m limit --limit 1/second -j LOG
+ inet/filter/awall-logdrop-1 -j DROP
+ inet6/filter/awall-FORWARD -j awall-logdrop-1
+ inet6/filter/awall-INPUT -j awall-logdrop-1
+ inet6/filter/awall-OUTPUT -j awall-logdrop-1
+ inet6/filter/awall-logdrop-1 -m limit --limit 1/second -j LOG
+ inet6/filter/awall-logdrop-1 -j DROP
+
+Filter 9 {"action":"pass","log":true}
+(log)
+ inet/filter/awall-FORWARD -j awall-logpass-0
+ inet/filter/awall-INPUT -j awall-logpass-0
+ inet/filter/awall-OUTPUT -j awall-logpass-0
+ inet/filter/awall-logpass-0 -m limit --limit 1/second -j LOG
+ inet6/filter/awall-FORWARD -j awall-logpass-0
+ inet6/filter/awall-INPUT -j awall-logpass-0
+ inet6/filter/awall-OUTPUT -j awall-logpass-0
+ inet6/filter/awall-logpass-0 -m limit --limit 1/second -j LOG
+
+Filter 10 {"log":"dual"}
+(log)
+ inet/filter/awall-FORWARD -j awall-logaccept-1
+ inet/filter/awall-INPUT -j awall-logaccept-1
+ inet/filter/awall-OUTPUT -j awall-logaccept-1
+ inet/filter/awall-logaccept-1 -j LOG
+ inet/filter/awall-logaccept-1 -j ACCEPT
+ inet6/filter/awall-FORWARD -j awall-logaccept-1
+ inet6/filter/awall-INPUT -j awall-logaccept-1
+ inet6/filter/awall-OUTPUT -j awall-logaccept-1
+ inet6/filter/awall-logaccept-1 -j LOG
+ inet6/filter/awall-logaccept-1 -j TEE --gateway fc00::1
+ inet6/filter/awall-logaccept-1 -j ACCEPT
+
+Filter 11 {"action":"drop","log":"dual"}
+(log)
+ inet/filter/awall-FORWARD -j awall-logdrop-2
+ inet/filter/awall-INPUT -j awall-logdrop-2
+ inet/filter/awall-OUTPUT -j awall-logdrop-2
+ inet/filter/awall-logdrop-2 -j LOG
+ inet/filter/awall-logdrop-2 -j DROP
+ inet6/filter/awall-FORWARD -j awall-logdrop-2
+ inet6/filter/awall-INPUT -j awall-logdrop-2
+ inet6/filter/awall-OUTPUT -j awall-logdrop-2
+ inet6/filter/awall-logdrop-2 -j LOG
+ inet6/filter/awall-logdrop-2 -j TEE --gateway fc00::1
+ inet6/filter/awall-logdrop-2 -j DROP
+
+Filter 12 {"action":"pass","log":"dual"}
+(log)
+ inet/filter/awall-FORWARD -j awall-logpass-1
+ inet/filter/awall-INPUT -j awall-logpass-1
+ inet/filter/awall-OUTPUT -j awall-logpass-1
+ inet/filter/awall-logpass-1 -j LOG
+ inet6/filter/awall-FORWARD -j awall-logpass-1
+ inet6/filter/awall-INPUT -j awall-logpass-1
+ inet6/filter/awall-OUTPUT -j awall-logpass-1
+ inet6/filter/awall-logpass-1 -j LOG
+ inet6/filter/awall-logpass-1 -j TEE --gateway fc00::1
+
+Filter 13 {"log":"mirror"}
+(log)
+ inet/filter/awall-FORWARD -j awall-logaccept-2
+ inet/filter/awall-INPUT -j awall-logaccept-2
+ inet/filter/awall-OUTPUT -j awall-logaccept-2
+ inet/filter/awall-logaccept-2 -j TEE --gateway 10.0.0.1
+ inet/filter/awall-logaccept-2 -j TEE --gateway 10.0.0.2
+ inet/filter/awall-logaccept-2 -j ACCEPT
+ inet6/filter/awall-FORWARD -j awall-logaccept-2
+ inet6/filter/awall-INPUT -j awall-logaccept-2
+ inet6/filter/awall-OUTPUT -j awall-logaccept-2
+ inet6/filter/awall-logaccept-2 -j TEE --gateway fc00::2
+ inet6/filter/awall-logaccept-2 -j ACCEPT
+
+Filter 14 {"action":"drop","log":"mirror"}
+(log)
+ inet/filter/awall-FORWARD -j awall-logdrop-3
+ inet/filter/awall-INPUT -j awall-logdrop-3
+ inet/filter/awall-OUTPUT -j awall-logdrop-3
+ inet/filter/awall-logdrop-3 -j TEE --gateway 10.0.0.1
+ inet/filter/awall-logdrop-3 -j TEE --gateway 10.0.0.2
+ inet/filter/awall-logdrop-3 -j DROP
+ inet6/filter/awall-FORWARD -j awall-logdrop-3
+ inet6/filter/awall-INPUT -j awall-logdrop-3
+ inet6/filter/awall-OUTPUT -j awall-logdrop-3
+ inet6/filter/awall-logdrop-3 -j TEE --gateway fc00::2
+ inet6/filter/awall-logdrop-3 -j DROP
+
+Filter 15 {"action":"pass","log":"mirror"}
+(log)
+ inet/filter/awall-FORWARD -j awall-logpass-2
+ inet/filter/awall-INPUT -j awall-logpass-2
+ inet/filter/awall-OUTPUT -j awall-logpass-2
+ inet/filter/awall-logpass-2 -j TEE --gateway 10.0.0.1
+ inet/filter/awall-logpass-2 -j TEE --gateway 10.0.0.2
+ inet6/filter/awall-FORWARD -j awall-logpass-2
+ inet6/filter/awall-INPUT -j awall-logpass-2
+ inet6/filter/awall-OUTPUT -j awall-logpass-2
+ inet6/filter/awall-logpass-2 -j TEE --gateway fc00::2
+
+Filter 16 {"log":"none"}
+(log)
+ inet/filter/awall-FORWARD -j ACCEPT
+ inet/filter/awall-INPUT -j ACCEPT
+ inet/filter/awall-OUTPUT -j ACCEPT
+ inet6/filter/awall-FORWARD -j ACCEPT
+ inet6/filter/awall-INPUT -j ACCEPT
+ inet6/filter/awall-OUTPUT -j ACCEPT
+
+Filter 17 {"action":"drop","log":"none"}
+(log)
+ inet/filter/awall-FORWARD -j DROP
+ inet/filter/awall-INPUT -j DROP
+ inet/filter/awall-OUTPUT -j DROP
+ inet6/filter/awall-FORWARD -j DROP
+ inet6/filter/awall-INPUT -j DROP
+ inet6/filter/awall-OUTPUT -j DROP
+
+Filter 18 {"action":"pass","log":"none"}
+(log)
+ inet/filter/awall-FORWARD
+ inet/filter/awall-INPUT
+ inet/filter/awall-OUTPUT
+ inet6/filter/awall-FORWARD
+ inet6/filter/awall-INPUT
+ inet6/filter/awall-OUTPUT
+
+Filter 19 {"log":"ulog"}
+(log)
+ inet/filter/awall-FORWARD -j awall-logaccept-3
+ inet/filter/awall-INPUT -j awall-logaccept-3
+ inet/filter/awall-OUTPUT -j awall-logaccept-3
+ inet/filter/awall-logaccept-3 -m limit --limit 12/minute -j ULOG
+ inet/filter/awall-logaccept-3 -j ACCEPT
+ inet6/filter/awall-FORWARD -j awall-logaccept-3
+ inet6/filter/awall-INPUT -j awall-logaccept-3
+ inet6/filter/awall-OUTPUT -j awall-logaccept-3
+ inet6/filter/awall-logaccept-3 -j ACCEPT
+
+Filter 20 {"action":"drop","log":"ulog"}
+(log)
+ inet/filter/awall-FORWARD -j awall-logdrop-4
+ inet/filter/awall-INPUT -j awall-logdrop-4
+ inet/filter/awall-OUTPUT -j awall-logdrop-4
+ inet/filter/awall-logdrop-4 -m limit --limit 12/minute -j ULOG
+ inet/filter/awall-logdrop-4 -j DROP
+ inet6/filter/awall-FORWARD -j awall-logdrop-4
+ inet6/filter/awall-INPUT -j awall-logdrop-4
+ inet6/filter/awall-OUTPUT -j awall-logdrop-4
+ inet6/filter/awall-logdrop-4 -j DROP
+
+Filter 21 {"action":"pass","log":"ulog"}
+(log)
+ inet/filter/awall-FORWARD -j awall-logpass-3
+ inet/filter/awall-INPUT -j awall-logpass-3
+ inet/filter/awall-OUTPUT -j awall-logpass-3
+ inet/filter/awall-logpass-3 -m limit --limit 12/minute -j ULOG
+
+Filter 22 {"action":"pass","in":"_fw","log":"ulog"}
+(log)
+ inet/filter/awall-OUTPUT -m limit --limit 12/minute -j ULOG
+
+Filter 23 {"in":["_fw","A"]}
+(zone)
+ inet/filter/awall-FORWARD -i eth0 -j ACCEPT
+ inet/filter/awall-INPUT -i eth0 -j ACCEPT
+ inet/filter/awall-OUTPUT -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth0 -j ACCEPT
+ inet6/filter/awall-INPUT -i eth0 -j ACCEPT
+ inet6/filter/awall-OUTPUT -j ACCEPT
+
+Filter 24 {"in":"B","out":"C"}
+(zone)
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+
+Filter 25 {"out":["_fw","B"]}
+(zone)
+ inet/filter/awall-FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-INPUT -j ACCEPT
+ inet/filter/awall-OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet6/filter/awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/awall-INPUT -j ACCEPT
+ inet6/filter/awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+
+Filter 26 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+(zone)
+ inet/filter/awall-FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/awall-FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet/filter/awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet6/filter/awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+
+
+Ipset awall-masquerade {"family":"inet","type":"hash:net"}
+(masquerade)
+
+
+Limit B true
+(limit)
+
+Limit C 7
+(limit)
+
+Limit D {"inet":22,"inet6":58}
+(limit)
+
+
+Log _default {"limit":1}
+(defaults)
+
+Log dual {"mirror":"fc00::1","mode":"log"}
+(log)
+
+Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
+(log)
+
+Log nflog {"group":1,"mode":"nflog","range":128}
+(log)
+
+Log none {"mode":"none"}
+(log)
+
+Log ulog {"limit":{"interval":5},"mode":"ulog"}
+(log)
+
+
+Mark 1 {"in":["_fw","A"],"mark":1}
+(zone)
+ inet/mangle/awall-OUTPUT -j MARK --set-mark 1
+ inet/mangle/awall-PREROUTING -i eth0 -j MARK --set-mark 1
+ inet6/mangle/awall-OUTPUT -j MARK --set-mark 1
+ inet6/mangle/awall-PREROUTING -i eth0 -j MARK --set-mark 1
+
+Mark 2 {"in":"B","mark":2,"out":"C"}
+(zone)
+ inet/mangle/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 2
+ inet/mangle/awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 2
+
+Mark 3 {"mark":3,"out":["_fw","B"]}
+(zone)
+ inet/mangle/awall-INPUT -j MARK --set-mark 3
+ inet/mangle/awall-POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 3
+ inet6/mangle/awall-INPUT -j MARK --set-mark 3
+ inet6/mangle/awall-POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 3
+
+
+No-track 1 {"in":["_fw","A"]}
+(zone)
+ inet/raw/awall-OUTPUT -j CT --notrack
+ inet/raw/awall-PREROUTING -i eth0 -j CT --notrack
+ inet6/raw/awall-OUTPUT -j CT --notrack
+ inet6/raw/awall-PREROUTING -i eth0 -j CT --notrack
+
+No-track 2 {"in":"B"}
+(zone)
+ inet/raw/awall-PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
+ inet6/raw/awall-PREROUTING -i eth1 -s fc00::/7 -j CT --notrack
+
+No-track 3 {"out":"_fw"}
+(zone)
+ inet/raw/awall-PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
+ inet6/raw/awall-PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
+
+
+Packet-log 1 {"out":"_fw"}
+(log)
+ inet/filter/awall-INPUT -m limit --limit 1/second -j LOG
+ inet6/filter/awall-INPUT -m limit --limit 1/second -j LOG
+
+Packet-log 2 {"log":"mirror","out":"_fw"}
+(log)
+ inet/filter/awall-INPUT -j TEE --gateway 10.0.0.1
+ inet/filter/awall-INPUT -j TEE --gateway 10.0.0.2
+ inet6/filter/awall-INPUT -j TEE --gateway fc00::2
+
+Packet-log 3 {"log":"nflog","out":"_fw"}
+(log)
+ inet/filter/awall-INPUT -j NFLOG --nflog-group 1 --nflog-size 128
+ inet6/filter/awall-INPUT -j NFLOG --nflog-group 1 --nflog-size 128
+
+Packet-log 4 {"log":"ulog","out":"_fw"}
+(log)
+ inet/filter/awall-INPUT -m limit --limit 12/minute -j ULOG
+
+
+Service babel {"port":6697,"proto":"tcp"}
+(services)
+
+Service bacula-dir {"port":9101,"proto":"tcp"}
+(services)
+
+Service bacula-fd {"port":9102,"proto":"tcp"}
+(services)
+
+Service bacula-sd {"port":9103,"proto":"tcp"}
+(services)
+
+Service bgp {"port":179,"proto":"tcp"}
+(services)
+
+Service dhcp {"family":"inet","port":[67,68],"proto":"udp"}
+(services)
+
+Service discard [{"port":9,"proto":"udp"},{"port":9,"proto":"tcp"}]
+(services)
+
+Service dns [{"port":53,"proto":"udp"},{"port":53,"proto":"tcp"}]
+(services)
+
+Service epmap [{"port":135,"proto":"tcp"},{"port":135,"proto":"udp"}]
+(services)
+
+Service ftp {"ct-helper":"ftp","port":21,"proto":"tcp"}
+(services)
+
+Service gre {"proto":"gre"}
+(services)
+
+Service hp-pdl {"port":9100,"proto":"tcp"}
+(services)
+
+Service http {"port":80,"proto":"tcp"}
+(services)
+
+Service http-alt {"port":8080,"proto":"tcp"}
+(services)
+
+Service https {"port":443,"proto":"tcp"}
+(services)
+
+Service icmp {"proto":"icmp"}
+(services)
+
+Service igmp {"proto":"igmp"}
+(services)
+
+Service imap {"port":143,"proto":"tcp"}
+(services)
+
+Service imaps {"port":993,"proto":"tcp"}
+(services)
+
+Service ipsec [{"proto":"esp"},{"port":[500,4500],"proto":"udp"}]
+(services)
+
+Service irc {"ct-helper":"irc","port":6667,"proto":"tcp"}
+(services)
+
+Service kerberos [{"port":88,"proto":"tcp"},{"port":88,"proto":"udp"}]
+(services)
+
+Service kpasswd [{"port":464,"proto":"tcp"},{"port":464,"proto":"udp"}]
+(services)
+
+Service l2tp {"port":1701,"proto":"udp"}
+(services)
+
+Service ldap [{"port":389,"proto":"tcp"},{"port":389,"proto":"udp"}]
+(services)
+
+Service ldaps [{"port":636,"proto":"tcp"},{"port":636,"proto":"udp"}]
+(services)
+
+Service microsoft-ds [{"port":445,"proto":"tcp"},{"port":445,"proto":"udp"}]
+(services)
+
+Service ms-sql-m {"port":1434,"proto":"tcp"}
+(services)
+
+Service ms-sql-s {"port":1433,"proto":"tcp"}
+(services)
+
+Service msft-gc [{"port":3268,"proto":"tcp"},{"port":3268,"proto":"udp"}]
+(services)
+
+Service msft-gc-ssl [{"port":3269,"proto":"tcp"},{"port":3269,"proto":"udp"}]
+(services)
+
+Service netbios-ds [{"port":138,"proto":"tcp"},{"port":138,"proto":"udp"}]
+(services)
+
+Service netbios-ns [{"family":"inet","port":137,"proto":"tcp"},{"ct-helper":"netbios-ns","family":"inet","port":137,"proto":"udp"}]
+(services)
+
+Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
+(services)
+
+Service ntp {"port":123,"proto":"udp"}
+(services)
+
+Service openvpn {"port":1194,"proto":"udp"}
+(services)
+
+Service ospf {"proto":"ospf"}
+(services)
+
+Service pgsql {"port":5432,"proto":"tcp"}
+(services)
+
+Service ping [{"proto":"icmp","reply-type":0,"type":8},{"proto":"icmpv6","reply-type":129,"type":128}]
+(services)
+
+Service pop3 {"port":110,"proto":"tcp"}
+(services)
+
+Service pop3s {"port":995,"proto":"tcp"}
+(services)
+
+Service radius [{"port":1812,"proto":"udp"},{"port":1812,"proto":"tcp"}]
+(services)
+
+Service radius-acct [{"port":1813,"proto":"udp"},{"port":1813,"proto":"tcp"}]
+(services)
+
+Service rdp {"port":3389,"proto":"tcp"}
+(services)
+
+Service rsync {"port":873,"proto":"tcp"}
+(services)
+
+Service rtmp {"port":1935,"proto":"tcp"}
+(services)
+
+Service rtsp {"port":554,"proto":"tcp"}
+(services)
+
+Service sieve {"port":4190,"proto":"tcp"}
+(services)
+
+Service sip [{"ct-helper":"sip","port":5060,"proto":"udp"},{"ct-helper":"sip","port":5060,"proto":"tcp"}]
+(services)
+
+Service sip-tls [{"port":5061,"proto":"udp"},{"port":5061,"proto":"tcp"}]
+(services)
+
+Service smtp {"port":25,"proto":"tcp"}
+(services)
+
+Service snmp {"port":161,"proto":"udp"}
+(services)
+
+Service snmp-trap {"port":162,"proto":"udp"}
+(services)
+
+Service ssh {"port":22,"proto":"tcp"}
+(services)
+
+Service submission {"port":587,"proto":"tcp"}
+(services)
+
+Service syslog {"port":514,"proto":"udp"}
+(services)
+
+Service telnet {"port":23,"proto":"tcp"}
+(services)
+
+Service teredo {"port":3544,"proto":"udp"}
+(services)
+
+Service tftp {"port":69,"proto":"udp"}
+(services)
+
+Service vnc {"port":5900,"proto":"tcp"}
+(services)
+
+
+Snat 1 {"out":["_fw","B"]}
+(zone)
+ inet/nat/awall-INPUT -j MASQUERADE
+ inet/nat/awall-POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
+
+
+Variable awall_dedicated_chains true
+(dedicated)
+
+Variable awall_tproxy_mark 1
+(defaults)
+
+
+Zone A {"iface":"eth0"}
+(zone)
+
+Zone B {"addr":["10.0.0.0\/12","fc00::\/7"],"iface":"eth1"}
+(zone)
+
+Zone C {"addr":"10.1.0.0\/12","iface":["eth2","eth3"]}
+(zone)
+
+Zone D {"iface":["eth4","eth5"],"route-back":true}
+(zone)
+
+Zone E {"ipsec":true}
+(zone)
+
+
+# ipset awall-masquerade
+hash:net family inet
+
+
+# rules-save generated by awall
+*filter
+:FORWARD DROP [0:0]
+:INPUT DROP [0:0]
+:OUTPUT DROP [0:0]
+:awall-FORWARD - [0:0]
+:awall-INPUT - [0:0]
+:awall-OUTPUT - [0:0]
+:awall-icmp-routing - [0:0]
+:awall-logaccept-0 - [0:0]
+:awall-logaccept-1 - [0:0]
+:awall-logaccept-2 - [0:0]
+:awall-logaccept-3 - [0:0]
+:awall-logdrop-0 - [0:0]
+:awall-logdrop-1 - [0:0]
+:awall-logdrop-2 - [0:0]
+:awall-logdrop-3 - [0:0]
+:awall-logdrop-4 - [0:0]
+:awall-logpass-0 - [0:0]
+:awall-logpass-1 - [0:0]
+:awall-logpass-2 - [0:0]
+:awall-logpass-3 - [0:0]
+-A FORWARD -j awall-FORWARD
+-A INPUT -j awall-INPUT
+-A OUTPUT -j awall-OUTPUT
+-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A awall-FORWARD -j ACCEPT
+-A awall-FORWARD -j awall-logdrop-0
+-A awall-FORWARD
+-A awall-FORWARD -j ACCEPT
+-A awall-FORWARD -j DROP
+-A awall-FORWARD
+-A awall-FORWARD -j awall-logaccept-0
+-A awall-FORWARD -j awall-logdrop-1
+-A awall-FORWARD -j awall-logpass-0
+-A awall-FORWARD -j awall-logaccept-1
+-A awall-FORWARD -j awall-logdrop-2
+-A awall-FORWARD -j awall-logpass-1
+-A awall-FORWARD -j awall-logaccept-2
+-A awall-FORWARD -j awall-logdrop-3
+-A awall-FORWARD -j awall-logpass-2
+-A awall-FORWARD -j ACCEPT
+-A awall-FORWARD -j DROP
+-A awall-FORWARD
+-A awall-FORWARD -j awall-logaccept-3
+-A awall-FORWARD -j awall-logdrop-4
+-A awall-FORWARD -j awall-logpass-3
+-A awall-FORWARD -i eth0 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -p icmp -j awall-icmp-routing
+-A awall-INPUT -m limit --limit 12/minute -j ULOG
+-A awall-INPUT -j NFLOG --nflog-group 1 --nflog-size 128
+-A awall-INPUT -j TEE --gateway 10.0.0.2
+-A awall-INPUT -j TEE --gateway 10.0.0.1
+-A awall-INPUT -m limit --limit 1/second -j LOG
+-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A awall-INPUT -i lo -j ACCEPT
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -j awall-logdrop-0
+-A awall-INPUT
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -j DROP
+-A awall-INPUT
+-A awall-INPUT -j awall-logaccept-0
+-A awall-INPUT -j awall-logdrop-1
+-A awall-INPUT -j awall-logpass-0
+-A awall-INPUT -j awall-logaccept-1
+-A awall-INPUT -j awall-logdrop-2
+-A awall-INPUT -j awall-logpass-1
+-A awall-INPUT -j awall-logaccept-2
+-A awall-INPUT -j awall-logdrop-3
+-A awall-INPUT -j awall-logpass-2
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -j DROP
+-A awall-INPUT
+-A awall-INPUT -j awall-logaccept-3
+-A awall-INPUT -j awall-logdrop-4
+-A awall-INPUT -j awall-logpass-3
+-A awall-INPUT -i eth0 -j ACCEPT
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -p icmp -j awall-icmp-routing
+-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A awall-OUTPUT -o lo -j ACCEPT
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -j awall-logdrop-0
+-A awall-OUTPUT
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -j DROP
+-A awall-OUTPUT
+-A awall-OUTPUT -j awall-logaccept-0
+-A awall-OUTPUT -j awall-logdrop-1
+-A awall-OUTPUT -j awall-logpass-0
+-A awall-OUTPUT -j awall-logaccept-1
+-A awall-OUTPUT -j awall-logdrop-2
+-A awall-OUTPUT -j awall-logpass-1
+-A awall-OUTPUT -j awall-logaccept-2
+-A awall-OUTPUT -j awall-logdrop-3
+-A awall-OUTPUT -j awall-logpass-2
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -j DROP
+-A awall-OUTPUT
+-A awall-OUTPUT -j awall-logaccept-3
+-A awall-OUTPUT -j awall-logdrop-4
+-A awall-OUTPUT -j awall-logpass-3
+-A awall-OUTPUT -m limit --limit 12/minute -j ULOG
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-OUTPUT -p icmp -j awall-icmp-routing
+-A awall-icmp-routing -p icmp --icmp-type 3 -j ACCEPT
+-A awall-icmp-routing -p icmp --icmp-type 11 -j ACCEPT
+-A awall-icmp-routing -p icmp --icmp-type 12 -j ACCEPT
+-A awall-logaccept-0 -m limit --limit 1/second -j LOG
+-A awall-logaccept-0 -j ACCEPT
+-A awall-logaccept-1 -j LOG
+-A awall-logaccept-1 -j ACCEPT
+-A awall-logaccept-2 -j TEE --gateway 10.0.0.1
+-A awall-logaccept-2 -j TEE --gateway 10.0.0.2
+-A awall-logaccept-2 -j ACCEPT
+-A awall-logaccept-3 -m limit --limit 12/minute -j ULOG
+-A awall-logaccept-3 -j ACCEPT
+-A awall-logdrop-0 -m limit --limit 1/second -j LOG
+-A awall-logdrop-0 -j DROP
+-A awall-logdrop-1 -m limit --limit 1/second -j LOG
+-A awall-logdrop-1 -j DROP
+-A awall-logdrop-2 -j LOG
+-A awall-logdrop-2 -j DROP
+-A awall-logdrop-3 -j TEE --gateway 10.0.0.1
+-A awall-logdrop-3 -j TEE --gateway 10.0.0.2
+-A awall-logdrop-3 -j DROP
+-A awall-logdrop-4 -m limit --limit 12/minute -j ULOG
+-A awall-logdrop-4 -j DROP
+-A awall-logpass-0 -m limit --limit 1/second -j LOG
+-A awall-logpass-1 -j LOG
+-A awall-logpass-2 -j TEE --gateway 10.0.0.1
+-A awall-logpass-2 -j TEE --gateway 10.0.0.2
+-A awall-logpass-3 -m limit --limit 12/minute -j ULOG
+COMMIT
+*mangle
+:FORWARD ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+:awall-FORWARD - [0:0]
+:awall-INPUT - [0:0]
+:awall-OUTPUT - [0:0]
+:awall-POSTROUTING - [0:0]
+:awall-PREROUTING - [0:0]
+-A FORWARD -j awall-FORWARD
+-A INPUT -j awall-INPUT
+-A OUTPUT -j awall-OUTPUT
+-A POSTROUTING -j awall-POSTROUTING
+-A PREROUTING -j awall-PREROUTING
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 2
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 2
+-A awall-INPUT -j MARK --set-mark 3
+-A awall-OUTPUT -j MARK --set-mark 1
+-A awall-POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 3
+-A awall-PREROUTING -i eth0 -j MARK --set-mark 1
+COMMIT
+*nat
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+:awall-INPUT - [0:0]
+:awall-OUTPUT - [0:0]
+:awall-POSTROUTING - [0:0]
+:awall-PREROUTING - [0:0]
+:awall-awall-masquerade - [0:0]
+-A INPUT -j awall-INPUT
+-A OUTPUT -j awall-OUTPUT
+-A POSTROUTING -j awall-POSTROUTING
+-A PREROUTING -j awall-PREROUTING
+-A awall-INPUT -j MASQUERADE
+-A awall-OUTPUT -j REDIRECT
+-A awall-POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
+-A awall-POSTROUTING -m set --match-set awall-masquerade src -j awall-awall-masquerade
+-A awall-PREROUTING -i eth0 -j REDIRECT
+-A awall-PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
+-A awall-awall-masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
+COMMIT
+*raw
+:OUTPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+:awall-OUTPUT - [0:0]
+:awall-PREROUTING - [0:0]
+-A OUTPUT -j awall-OUTPUT
+-A PREROUTING -j awall-PREROUTING
+-A awall-OUTPUT -j CT --notrack
+-A awall-PREROUTING -i eth0 -j CT --notrack
+-A awall-PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
+-A awall-PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
+COMMIT
+
+# rules6-save generated by awall
+*filter
+:FORWARD DROP [0:0]
+:INPUT DROP [0:0]
+:OUTPUT DROP [0:0]
+:awall-FORWARD - [0:0]
+:awall-INPUT - [0:0]
+:awall-OUTPUT - [0:0]
+:awall-icmp-routing - [0:0]
+:awall-logaccept-0 - [0:0]
+:awall-logaccept-1 - [0:0]
+:awall-logaccept-2 - [0:0]
+:awall-logaccept-3 - [0:0]
+:awall-logdrop-0 - [0:0]
+:awall-logdrop-1 - [0:0]
+:awall-logdrop-2 - [0:0]
+:awall-logdrop-3 - [0:0]
+:awall-logdrop-4 - [0:0]
+:awall-logpass-0 - [0:0]
+:awall-logpass-1 - [0:0]
+:awall-logpass-2 - [0:0]
+-A FORWARD -j awall-FORWARD
+-A INPUT -j awall-INPUT
+-A OUTPUT -j awall-OUTPUT
+-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A awall-FORWARD -j ACCEPT
+-A awall-FORWARD -j awall-logdrop-0
+-A awall-FORWARD
+-A awall-FORWARD -j ACCEPT
+-A awall-FORWARD -j DROP
+-A awall-FORWARD
+-A awall-FORWARD -j awall-logaccept-0
+-A awall-FORWARD -j awall-logdrop-1
+-A awall-FORWARD -j awall-logpass-0
+-A awall-FORWARD -j awall-logaccept-1
+-A awall-FORWARD -j awall-logdrop-2
+-A awall-FORWARD -j awall-logpass-1
+-A awall-FORWARD -j awall-logaccept-2
+-A awall-FORWARD -j awall-logdrop-3
+-A awall-FORWARD -j awall-logpass-2
+-A awall-FORWARD -j ACCEPT
+-A awall-FORWARD -j DROP
+-A awall-FORWARD
+-A awall-FORWARD -j awall-logaccept-3
+-A awall-FORWARD -j awall-logdrop-4
+-A awall-FORWARD -i eth0 -j ACCEPT
+-A awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -p icmpv6 -j awall-icmp-routing
+-A awall-INPUT -j NFLOG --nflog-group 1 --nflog-size 128
+-A awall-INPUT -j TEE --gateway fc00::2
+-A awall-INPUT -m limit --limit 1/second -j LOG
+-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A awall-INPUT -i lo -j ACCEPT
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -j awall-logdrop-0
+-A awall-INPUT
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -j DROP
+-A awall-INPUT
+-A awall-INPUT -j awall-logaccept-0
+-A awall-INPUT -j awall-logdrop-1
+-A awall-INPUT -j awall-logpass-0
+-A awall-INPUT -j awall-logaccept-1
+-A awall-INPUT -j awall-logdrop-2
+-A awall-INPUT -j awall-logpass-1
+-A awall-INPUT -j awall-logaccept-2
+-A awall-INPUT -j awall-logdrop-3
+-A awall-INPUT -j awall-logpass-2
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -j DROP
+-A awall-INPUT
+-A awall-INPUT -j awall-logaccept-3
+-A awall-INPUT -j awall-logdrop-4
+-A awall-INPUT -i eth0 -j ACCEPT
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -p icmpv6 -j ACCEPT
+-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A awall-OUTPUT -o lo -j ACCEPT
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -j awall-logdrop-0
+-A awall-OUTPUT
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -j DROP
+-A awall-OUTPUT
+-A awall-OUTPUT -j awall-logaccept-0
+-A awall-OUTPUT -j awall-logdrop-1
+-A awall-OUTPUT -j awall-logpass-0
+-A awall-OUTPUT -j awall-logaccept-1
+-A awall-OUTPUT -j awall-logdrop-2
+-A awall-OUTPUT -j awall-logpass-1
+-A awall-OUTPUT -j awall-logaccept-2
+-A awall-OUTPUT -j awall-logdrop-3
+-A awall-OUTPUT -j awall-logpass-2
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -j DROP
+-A awall-OUTPUT
+-A awall-OUTPUT -j awall-logaccept-3
+-A awall-OUTPUT -j awall-logdrop-4
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+-A awall-OUTPUT -p icmpv6 -j ACCEPT
+-A awall-icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
+-A awall-icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
+-A awall-icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
+-A awall-icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
+-A awall-logaccept-0 -m limit --limit 1/second -j LOG
+-A awall-logaccept-0 -j ACCEPT
+-A awall-logaccept-1 -j LOG
+-A awall-logaccept-1 -j TEE --gateway fc00::1
+-A awall-logaccept-1 -j ACCEPT
+-A awall-logaccept-2 -j TEE --gateway fc00::2
+-A awall-logaccept-2 -j ACCEPT
+-A awall-logaccept-3 -j ACCEPT
+-A awall-logdrop-0 -m limit --limit 1/second -j LOG
+-A awall-logdrop-0 -j DROP
+-A awall-logdrop-1 -m limit --limit 1/second -j LOG
+-A awall-logdrop-1 -j DROP
+-A awall-logdrop-2 -j LOG
+-A awall-logdrop-2 -j TEE --gateway fc00::1
+-A awall-logdrop-2 -j DROP
+-A awall-logdrop-3 -j TEE --gateway fc00::2
+-A awall-logdrop-3 -j DROP
+-A awall-logdrop-4 -j DROP
+-A awall-logpass-0 -m limit --limit 1/second -j LOG
+-A awall-logpass-1 -j LOG
+-A awall-logpass-1 -j TEE --gateway fc00::1
+-A awall-logpass-2 -j TEE --gateway fc00::2
+COMMIT
+*mangle
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+:awall-INPUT - [0:0]
+:awall-OUTPUT - [0:0]
+:awall-POSTROUTING - [0:0]
+:awall-PREROUTING - [0:0]
+-A INPUT -j awall-INPUT
+-A OUTPUT -j awall-OUTPUT
+-A POSTROUTING -j awall-POSTROUTING
+-A PREROUTING -j awall-PREROUTING
+-A awall-INPUT -j MARK --set-mark 3
+-A awall-OUTPUT -j MARK --set-mark 1
+-A awall-POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 3
+-A awall-PREROUTING -i eth0 -j MARK --set-mark 1
+COMMIT
+*raw
+:OUTPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+:awall-OUTPUT - [0:0]
+:awall-PREROUTING - [0:0]
+-A OUTPUT -j awall-OUTPUT
+-A PREROUTING -j awall-PREROUTING
+-A awall-OUTPUT -j CT --notrack
+-A awall-PREROUTING -i eth0 -j CT --notrack
+-A awall-PREROUTING -i eth1 -s fc00::/7 -j CT --notrack
+-A awall-PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
+COMMIT
+
diff --git a/test/output/dedicated/ipset-awall-masquerade b/test/output/dedicated/ipset-awall-masquerade
new file mode 100644
index 0000000..b3a47fd
--- /dev/null
+++ b/test/output/dedicated/ipset-awall-masquerade
@@ -0,0 +1,2 @@
+# ipset awall-masquerade
+hash:net family inet
diff --git a/test/output/dedicated/rules-save b/test/output/dedicated/rules-save
new file mode 100644
index 0000000..4ce5699
--- /dev/null
+++ b/test/output/dedicated/rules-save
@@ -0,0 +1,241 @@
+# rules-save generated by awall
+*filter
+:FORWARD DROP [0:0]
+:INPUT DROP [0:0]
+:OUTPUT DROP [0:0]
+:awall-FORWARD - [0:0]
+:awall-INPUT - [0:0]
+:awall-OUTPUT - [0:0]
+:awall-icmp-routing - [0:0]
+:awall-logaccept-0 - [0:0]
+:awall-logaccept-1 - [0:0]
+:awall-logaccept-2 - [0:0]
+:awall-logaccept-3 - [0:0]
+:awall-logdrop-0 - [0:0]
+:awall-logdrop-1 - [0:0]
+:awall-logdrop-2 - [0:0]
+:awall-logdrop-3 - [0:0]
+:awall-logdrop-4 - [0:0]
+:awall-logpass-0 - [0:0]
+:awall-logpass-1 - [0:0]
+:awall-logpass-2 - [0:0]
+:awall-logpass-3 - [0:0]
+-A FORWARD -j awall-FORWARD
+-A INPUT -j awall-INPUT
+-A OUTPUT -j awall-OUTPUT
+-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A awall-FORWARD -j ACCEPT
+-A awall-FORWARD -j awall-logdrop-0
+-A awall-FORWARD
+-A awall-FORWARD -j ACCEPT
+-A awall-FORWARD -j DROP
+-A awall-FORWARD
+-A awall-FORWARD -j awall-logaccept-0
+-A awall-FORWARD -j awall-logdrop-1
+-A awall-FORWARD -j awall-logpass-0
+-A awall-FORWARD -j awall-logaccept-1
+-A awall-FORWARD -j awall-logdrop-2
+-A awall-FORWARD -j awall-logpass-1
+-A awall-FORWARD -j awall-logaccept-2
+-A awall-FORWARD -j awall-logdrop-3
+-A awall-FORWARD -j awall-logpass-2
+-A awall-FORWARD -j ACCEPT
+-A awall-FORWARD -j DROP
+-A awall-FORWARD
+-A awall-FORWARD -j awall-logaccept-3
+-A awall-FORWARD -j awall-logdrop-4
+-A awall-FORWARD -j awall-logpass-3
+-A awall-FORWARD -i eth0 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -p icmp -j awall-icmp-routing
+-A awall-INPUT -m limit --limit 12/minute -j ULOG
+-A awall-INPUT -j NFLOG --nflog-group 1 --nflog-size 128
+-A awall-INPUT -j TEE --gateway 10.0.0.2
+-A awall-INPUT -j TEE --gateway 10.0.0.1
+-A awall-INPUT -m limit --limit 1/second -j LOG
+-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A awall-INPUT -i lo -j ACCEPT
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -j awall-logdrop-0
+-A awall-INPUT
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -j DROP
+-A awall-INPUT
+-A awall-INPUT -j awall-logaccept-0
+-A awall-INPUT -j awall-logdrop-1
+-A awall-INPUT -j awall-logpass-0
+-A awall-INPUT -j awall-logaccept-1
+-A awall-INPUT -j awall-logdrop-2
+-A awall-INPUT -j awall-logpass-1
+-A awall-INPUT -j awall-logaccept-2
+-A awall-INPUT -j awall-logdrop-3
+-A awall-INPUT -j awall-logpass-2
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -j DROP
+-A awall-INPUT
+-A awall-INPUT -j awall-logaccept-3
+-A awall-INPUT -j awall-logdrop-4
+-A awall-INPUT -j awall-logpass-3
+-A awall-INPUT -i eth0 -j ACCEPT
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -p icmp -j awall-icmp-routing
+-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A awall-OUTPUT -o lo -j ACCEPT
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -j awall-logdrop-0
+-A awall-OUTPUT
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -j DROP
+-A awall-OUTPUT
+-A awall-OUTPUT -j awall-logaccept-0
+-A awall-OUTPUT -j awall-logdrop-1
+-A awall-OUTPUT -j awall-logpass-0
+-A awall-OUTPUT -j awall-logaccept-1
+-A awall-OUTPUT -j awall-logdrop-2
+-A awall-OUTPUT -j awall-logpass-1
+-A awall-OUTPUT -j awall-logaccept-2
+-A awall-OUTPUT -j awall-logdrop-3
+-A awall-OUTPUT -j awall-logpass-2
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -j DROP
+-A awall-OUTPUT
+-A awall-OUTPUT -j awall-logaccept-3
+-A awall-OUTPUT -j awall-logdrop-4
+-A awall-OUTPUT -j awall-logpass-3
+-A awall-OUTPUT -m limit --limit 12/minute -j ULOG
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A awall-OUTPUT -p icmp -j awall-icmp-routing
+-A awall-icmp-routing -p icmp --icmp-type 3 -j ACCEPT
+-A awall-icmp-routing -p icmp --icmp-type 11 -j ACCEPT
+-A awall-icmp-routing -p icmp --icmp-type 12 -j ACCEPT
+-A awall-logaccept-0 -m limit --limit 1/second -j LOG
+-A awall-logaccept-0 -j ACCEPT
+-A awall-logaccept-1 -j LOG
+-A awall-logaccept-1 -j ACCEPT
+-A awall-logaccept-2 -j TEE --gateway 10.0.0.1
+-A awall-logaccept-2 -j TEE --gateway 10.0.0.2
+-A awall-logaccept-2 -j ACCEPT
+-A awall-logaccept-3 -m limit --limit 12/minute -j ULOG
+-A awall-logaccept-3 -j ACCEPT
+-A awall-logdrop-0 -m limit --limit 1/second -j LOG
+-A awall-logdrop-0 -j DROP
+-A awall-logdrop-1 -m limit --limit 1/second -j LOG
+-A awall-logdrop-1 -j DROP
+-A awall-logdrop-2 -j LOG
+-A awall-logdrop-2 -j DROP
+-A awall-logdrop-3 -j TEE --gateway 10.0.0.1
+-A awall-logdrop-3 -j TEE --gateway 10.0.0.2
+-A awall-logdrop-3 -j DROP
+-A awall-logdrop-4 -m limit --limit 12/minute -j ULOG
+-A awall-logdrop-4 -j DROP
+-A awall-logpass-0 -m limit --limit 1/second -j LOG
+-A awall-logpass-1 -j LOG
+-A awall-logpass-2 -j TEE --gateway 10.0.0.1
+-A awall-logpass-2 -j TEE --gateway 10.0.0.2
+-A awall-logpass-3 -m limit --limit 12/minute -j ULOG
+COMMIT
+*mangle
+:FORWARD ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+:awall-FORWARD - [0:0]
+:awall-INPUT - [0:0]
+:awall-OUTPUT - [0:0]
+:awall-POSTROUTING - [0:0]
+:awall-PREROUTING - [0:0]
+-A FORWARD -j awall-FORWARD
+-A INPUT -j awall-INPUT
+-A OUTPUT -j awall-OUTPUT
+-A POSTROUTING -j awall-POSTROUTING
+-A PREROUTING -j awall-PREROUTING
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 2
+-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 2
+-A awall-INPUT -j MARK --set-mark 3
+-A awall-OUTPUT -j MARK --set-mark 1
+-A awall-POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 3
+-A awall-PREROUTING -i eth0 -j MARK --set-mark 1
+COMMIT
+*nat
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+:awall-INPUT - [0:0]
+:awall-OUTPUT - [0:0]
+:awall-POSTROUTING - [0:0]
+:awall-PREROUTING - [0:0]
+:awall-awall-masquerade - [0:0]
+-A INPUT -j awall-INPUT
+-A OUTPUT -j awall-OUTPUT
+-A POSTROUTING -j awall-POSTROUTING
+-A PREROUTING -j awall-PREROUTING
+-A awall-INPUT -j MASQUERADE
+-A awall-OUTPUT -j REDIRECT
+-A awall-POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
+-A awall-POSTROUTING -m set --match-set awall-masquerade src -j awall-awall-masquerade
+-A awall-PREROUTING -i eth0 -j REDIRECT
+-A awall-PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
+-A awall-awall-masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
+COMMIT
+*raw
+:OUTPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+:awall-OUTPUT - [0:0]
+:awall-PREROUTING - [0:0]
+-A OUTPUT -j awall-OUTPUT
+-A PREROUTING -j awall-PREROUTING
+-A awall-OUTPUT -j CT --notrack
+-A awall-PREROUTING -i eth0 -j CT --notrack
+-A awall-PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
+-A awall-PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
+COMMIT
diff --git a/test/output/dedicated/rules6-save b/test/output/dedicated/rules6-save
new file mode 100644
index 0000000..48e7802
--- /dev/null
+++ b/test/output/dedicated/rules6-save
@@ -0,0 +1,181 @@
+# rules6-save generated by awall
+*filter
+:FORWARD DROP [0:0]
+:INPUT DROP [0:0]
+:OUTPUT DROP [0:0]
+:awall-FORWARD - [0:0]
+:awall-INPUT - [0:0]
+:awall-OUTPUT - [0:0]
+:awall-icmp-routing - [0:0]
+:awall-logaccept-0 - [0:0]
+:awall-logaccept-1 - [0:0]
+:awall-logaccept-2 - [0:0]
+:awall-logaccept-3 - [0:0]
+:awall-logdrop-0 - [0:0]
+:awall-logdrop-1 - [0:0]
+:awall-logdrop-2 - [0:0]
+:awall-logdrop-3 - [0:0]
+:awall-logdrop-4 - [0:0]
+:awall-logpass-0 - [0:0]
+:awall-logpass-1 - [0:0]
+:awall-logpass-2 - [0:0]
+-A FORWARD -j awall-FORWARD
+-A INPUT -j awall-INPUT
+-A OUTPUT -j awall-OUTPUT
+-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A awall-FORWARD -j ACCEPT
+-A awall-FORWARD -j awall-logdrop-0
+-A awall-FORWARD
+-A awall-FORWARD -j ACCEPT
+-A awall-FORWARD -j DROP
+-A awall-FORWARD
+-A awall-FORWARD -j awall-logaccept-0
+-A awall-FORWARD -j awall-logdrop-1
+-A awall-FORWARD -j awall-logpass-0
+-A awall-FORWARD -j awall-logaccept-1
+-A awall-FORWARD -j awall-logdrop-2
+-A awall-FORWARD -j awall-logpass-1
+-A awall-FORWARD -j awall-logaccept-2
+-A awall-FORWARD -j awall-logdrop-3
+-A awall-FORWARD -j awall-logpass-2
+-A awall-FORWARD -j ACCEPT
+-A awall-FORWARD -j DROP
+-A awall-FORWARD
+-A awall-FORWARD -j awall-logaccept-3
+-A awall-FORWARD -j awall-logdrop-4
+-A awall-FORWARD -i eth0 -j ACCEPT
+-A awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth0 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth0 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth4 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth4 -j ACCEPT
+-A awall-FORWARD -i eth5 -o eth5 -j ACCEPT
+-A awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+-A awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+-A awall-FORWARD -p icmpv6 -j awall-icmp-routing
+-A awall-INPUT -j NFLOG --nflog-group 1 --nflog-size 128
+-A awall-INPUT -j TEE --gateway fc00::2
+-A awall-INPUT -m limit --limit 1/second -j LOG
+-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A awall-INPUT -i lo -j ACCEPT
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -j awall-logdrop-0
+-A awall-INPUT
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -j DROP
+-A awall-INPUT
+-A awall-INPUT -j awall-logaccept-0
+-A awall-INPUT -j awall-logdrop-1
+-A awall-INPUT -j awall-logpass-0
+-A awall-INPUT -j awall-logaccept-1
+-A awall-INPUT -j awall-logdrop-2
+-A awall-INPUT -j awall-logpass-1
+-A awall-INPUT -j awall-logaccept-2
+-A awall-INPUT -j awall-logdrop-3
+-A awall-INPUT -j awall-logpass-2
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -j DROP
+-A awall-INPUT
+-A awall-INPUT -j awall-logaccept-3
+-A awall-INPUT -j awall-logdrop-4
+-A awall-INPUT -i eth0 -j ACCEPT
+-A awall-INPUT -j ACCEPT
+-A awall-INPUT -p icmpv6 -j ACCEPT
+-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A awall-OUTPUT -o lo -j ACCEPT
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -j awall-logdrop-0
+-A awall-OUTPUT
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -j DROP
+-A awall-OUTPUT
+-A awall-OUTPUT -j awall-logaccept-0
+-A awall-OUTPUT -j awall-logdrop-1
+-A awall-OUTPUT -j awall-logpass-0
+-A awall-OUTPUT -j awall-logaccept-1
+-A awall-OUTPUT -j awall-logdrop-2
+-A awall-OUTPUT -j awall-logpass-1
+-A awall-OUTPUT -j awall-logaccept-2
+-A awall-OUTPUT -j awall-logdrop-3
+-A awall-OUTPUT -j awall-logpass-2
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -j DROP
+-A awall-OUTPUT
+-A awall-OUTPUT -j awall-logaccept-3
+-A awall-OUTPUT -j awall-logdrop-4
+-A awall-OUTPUT -j ACCEPT
+-A awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+-A awall-OUTPUT -p icmpv6 -j ACCEPT
+-A awall-icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
+-A awall-icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
+-A awall-icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
+-A awall-icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
+-A awall-logaccept-0 -m limit --limit 1/second -j LOG
+-A awall-logaccept-0 -j ACCEPT
+-A awall-logaccept-1 -j LOG
+-A awall-logaccept-1 -j TEE --gateway fc00::1
+-A awall-logaccept-1 -j ACCEPT
+-A awall-logaccept-2 -j TEE --gateway fc00::2
+-A awall-logaccept-2 -j ACCEPT
+-A awall-logaccept-3 -j ACCEPT
+-A awall-logdrop-0 -m limit --limit 1/second -j LOG
+-A awall-logdrop-0 -j DROP
+-A awall-logdrop-1 -m limit --limit 1/second -j LOG
+-A awall-logdrop-1 -j DROP
+-A awall-logdrop-2 -j LOG
+-A awall-logdrop-2 -j TEE --gateway fc00::1
+-A awall-logdrop-2 -j DROP
+-A awall-logdrop-3 -j TEE --gateway fc00::2
+-A awall-logdrop-3 -j DROP
+-A awall-logdrop-4 -j DROP
+-A awall-logpass-0 -m limit --limit 1/second -j LOG
+-A awall-logpass-1 -j LOG
+-A awall-logpass-1 -j TEE --gateway fc00::1
+-A awall-logpass-2 -j TEE --gateway fc00::2
+COMMIT
+*mangle
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+:awall-INPUT - [0:0]
+:awall-OUTPUT - [0:0]
+:awall-POSTROUTING - [0:0]
+:awall-PREROUTING - [0:0]
+-A INPUT -j awall-INPUT
+-A OUTPUT -j awall-OUTPUT
+-A POSTROUTING -j awall-POSTROUTING
+-A PREROUTING -j awall-PREROUTING
+-A awall-INPUT -j MARK --set-mark 3
+-A awall-OUTPUT -j MARK --set-mark 1
+-A awall-POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 3
+-A awall-PREROUTING -i eth0 -j MARK --set-mark 1
+COMMIT
+*raw
+:OUTPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+:awall-OUTPUT - [0:0]
+:awall-PREROUTING - [0:0]
+-A OUTPUT -j awall-OUTPUT
+-A PREROUTING -j awall-PREROUTING
+-A awall-OUTPUT -j CT --notrack
+-A awall-PREROUTING -i eth0 -j CT --notrack
+-A awall-PREROUTING -i eth1 -s fc00::/7 -j CT --notrack
+-A awall-PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
+COMMIT
diff --git a/test/output/filter-dnat/dump b/test/output/filter-dnat/dump
index 90116b1..cceeff1 100644
--- a/test/output/filter-dnat/dump
+++ b/test/output/filter-dnat/dump
@@ -635,8 +635,11 @@ Snat 1 {"out":["_fw","B"]}
inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
-Variable awall_tproxy_mark 1
-(defaults)
+Variable awall_dedicated_chains false
+(defaults)
+
+Variable awall_tproxy_mark 1
+(defaults)
Zone A {"iface":"eth0"}
diff --git a/test/output/filter-limit/dump b/test/output/filter-limit/dump
index 17988c8..46a3c5e 100644
--- a/test/output/filter-limit/dump
+++ b/test/output/filter-limit/dump
@@ -59773,8 +59773,11 @@ Snat 1 {"out":["_fw","B"]}
inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
-Variable awall_tproxy_mark 1
-(defaults)
+Variable awall_dedicated_chains false
+(defaults)
+
+Variable awall_tproxy_mark 1
+(defaults)
Zone A {"iface":"eth0"}
diff --git a/test/output/filter/dump b/test/output/filter/dump
index 203ad67..25396fb 100644
--- a/test/output/filter/dump
+++ b/test/output/filter/dump
@@ -693,8 +693,11 @@ Snat 1 {"out":["_fw","B"]}
inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
-Variable awall_tproxy_mark 1
-(defaults)
+Variable awall_dedicated_chains false
+(defaults)
+
+Variable awall_tproxy_mark 1
+(defaults)
Zone A {"iface":"eth0"}
diff --git a/test/output/no-track/dump b/test/output/no-track/dump
index 59085f8..14d51ec 100644
--- a/test/output/no-track/dump
+++ b/test/output/no-track/dump
@@ -689,8 +689,11 @@ Snat 1 {"out":["_fw","B"]}
inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
-Variable awall_tproxy_mark 1
-(defaults)
+Variable awall_dedicated_chains false
+(defaults)
+
+Variable awall_tproxy_mark 1
+(defaults)
Zone A {"iface":"eth0"}
diff --git a/test/output/route-track/dump b/test/output/route-track/dump
index 66f0626..62b6c43 100644
--- a/test/output/route-track/dump
+++ b/test/output/route-track/dump
@@ -635,8 +635,11 @@ Snat 1 {"out":["_fw","B"]}
inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
-Variable awall_tproxy_mark 1
-(defaults)
+Variable awall_dedicated_chains false
+(defaults)
+
+Variable awall_tproxy_mark 1
+(defaults)
Zone A {"iface":"eth0"}
diff --git a/test/output/tproxy/dump b/test/output/tproxy/dump
index 897bbc1..5d226e9 100644
--- a/test/output/tproxy/dump
+++ b/test/output/tproxy/dump
@@ -629,8 +629,11 @@ Tproxy 1 {"in":"B","service":"http"}
inet6/mangle/PREROUTING -i eth1 -s fc00::/7 -p tcp --dport 80 -j TPROXY --tproxy-mark 1 --on-port 0
-Variable awall_tproxy_mark 1
-(defaults)
+Variable awall_dedicated_chains false
+(defaults)
+
+Variable awall_tproxy_mark 1
+(defaults)
Zone A {"iface":"eth0"}
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-12 21:31:40 +0000