FWD_START_TEST([--set-log-denied does not zero config])
AT_KEYWORDS(log_denied rhbz1514043)

FWD_CHECK([-q --set-log-denied=all])
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
FWD_RELOAD
FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl
services: dhcpv6-client samba ssh
])

dnl check that log denied actually took effect
NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl
    table inet firewalld {
        chain filter_INPUT {
            ct state established,related accept
            ct status dnat accept
            iifname "lo" accept
            jump filter_INPUT_ZONES
            ct state invalid log prefix "STATE_INVALID_DROP: "
            ct state invalid drop
            log prefix "FINAL_REJECT: "
            reject with icmpx type admin-prohibited
        }
    }
])
NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
    table inet firewalld {
        chain filter_FORWARD {
            ct state established,related accept
            ct status dnat accept
            iifname "lo" accept
            ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
            jump filter_FORWARD_IN_ZONES
            jump filter_FORWARD_OUT_ZONES
            ct state invalid log prefix "STATE_INVALID_DROP: "
            ct state invalid drop
            log prefix "FINAL_REJECT: "
            reject with icmpx type admin-prohibited
        }
    }
])

IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
    INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
    LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
    REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
])
IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
    FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
    FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
    LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
    REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
])
IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
    ACCEPT all ::/0 ::/0
    INPUT_direct all ::/0 ::/0
    INPUT_ZONES all ::/0 ::/0
    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
    DROP all ::/0 ::/0 ctstate INVALID
    LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
])
IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
    ACCEPT all ::/0 ::/0
    FORWARD_direct all ::/0 ::/0
    RFC3964_IPv4 all ::/0 ::/0
    FORWARD_IN_ZONES all ::/0 ::/0
    FORWARD_OUT_ZONES all ::/0 ::/0
    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
    DROP all ::/0 ::/0 ctstate INVALID
    LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
])

FWD_END_TEST