test(direct): verify rule order with multiple address with -s/-d

Coverage: rhbz 1940928
Coverage: rhbz 1949552

src/tests/regression/regression.at

@@ -39,3 +39,4 @@ m4_include([regression/rhbz1871298.at])
 m4_include([regression/rhbz1596304.at])
 m4_include([regression/gh703.at])
 m4_include([regression/ipset_netmask_allowed.at])
+m4_include([regression/rhbz1940928.at])

src/tests/regression/rhbz1940928.at

@@ -0,0 +1,52 @@
+FWD_START_TEST([direct -s/-d multiple addresses])
+AT_KEYWORDS(direct rhbz1940928 rhbz1949552)
+CHECK_IPTABLES
+
+dnl test triggers a limitation in iptables-restore
+dnl
+AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=no/' ./firewalld.conf])
+FWD_RELOAD
+
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore])
+
+IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
+		ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
+		ACCEPT     tcp  --  0.0.0.0/0            10.0.0.0/8
+		ACCEPT     tcp  --  0.0.0.0/0            172.16.0.0/16
+		ACCEPT     tcp  --  0.0.0.0/0            192.168.0.0/24
+		ACCEPT     udp  --  0.0.0.0/0            10.0.0.0/8
+		ACCEPT     udp  --  0.0.0.0/0            172.16.0.0/16
+		ACCEPT     udp  --  0.0.0.0/0            192.168.0.0/24
+		DROP       all  --  0.0.0.0/0            0.0.0.0/0
+])
+
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+
+IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
+		ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
+		ACCEPT     sctp --  0.0.0.0/0            10.0.0.0/8
+		ACCEPT     sctp --  0.0.0.0/0            172.16.0.0/16
+		ACCEPT     sctp --  0.0.0.0/0            192.168.0.0/24
+		ACCEPT     tcp  --  0.0.0.0/0            10.0.0.0/8
+		ACCEPT     tcp  --  0.0.0.0/0            172.16.0.0/16
+		ACCEPT     tcp  --  0.0.0.0/0            192.168.0.0/24
+		ACCEPT     udp  --  0.0.0.0/0            10.0.0.0/8
+		ACCEPT     udp  --  0.0.0.0/0            172.16.0.0/16
+		ACCEPT     udp  --  0.0.0.0/0            192.168.0.0/24
+		DROP       all  --  0.0.0.0/0            0.0.0.0/0
+])
+
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore])
+
+
+IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
+])
+
+FWD_END_TEST