diff --git a/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb b/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb
@@ -213,6 +213,42 @@ class { '::firewall': }
         end
       end
     end
+
+    unless os[:family] == 'redhat' && os[:release].start_with?('8')
+      describe 'time tests' do
+        context 'when set all time parameters' do
+          pp1 = <<-PUPPETCODE
+              class { '::firewall': }
+              firewall { '805 - time':
+                proto              => tcp,
+                dport              => '8080',
+                action             => accept,
+                chain              => 'OUTPUT',
+                date_start         => '2016-01-19T04:17:07',
+                date_stop          => '2038-01-19T04:17:07',
+                time_start         => '6:00',
+                time_stop          => '17:00:00',
+                month_days         => '7',
+                week_days          => 'Tue',
+                kernel_timezone    => true,
+                provider           => 'ip6tables',
+              }
+          PUPPETCODE
+          it 'applies' do
+            apply_manifest(pp1, catch_failures: true)
+            apply_manifest(pp1, catch_changes: do_catch_changes)
+          end
+
+          it 'contains the rule' do
+            shell('ip6tables-save') do |r|
+              expect(r.stdout).to match(
+                %r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - time" -j ACCEPT}, # rubocop:disable Metrics/LineLength
+              )
+            end
+          end
+        end
+      end
+    end
   end
 
   describe 'unless redhat 5 happy path', unless: (os[:family] == 'redhat' && os[:release].start_with?('5')) do

diff --git a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb
@@ -243,20 +243,6 @@ class { '::firewall': }
           physdev_out        => "eth1",
           physdev_is_bridged => true,
         }
-        firewall { '805 - time':
-          proto              => tcp,
-          dport              => '8080',
-          action             => accept,
-          chain              => 'OUTPUT',
-          date_start         => '2016-01-19T04:17:07',
-          date_stop          => '2038-01-19T04:17:07',
-          time_start         => '6:00',
-          time_stop          => '17:00:00',
-          month_days         => '7',
-          week_days          => 'Tue',
-          kernel_timezone    => true,
-          provider           => 'ip6tables',
-        }
         firewall { '806 - hashlimit_above test ipv6':
           chain                       => 'INPUT',
           provider                    => 'ip6tables',
@@ -275,7 +261,6 @@ class { '::firewall': }
           proto   => all,
           provider => 'ip6tables',
         }
-
       PUPPETCODE
       apply_manifest(pp, catch_failures: true)
       apply_manifest(pp, catch_changes: do_catch_changes)
@@ -374,11 +359,6 @@ class { '::firewall': }
     it 'tee_gateway is set' do
       expect(result.stdout).to match(%r{-A PREROUTING -m comment --comment "811 - tee_gateway6" -j TEE --gateway 2001:db8::1})
     end
-    it 'when set all time parameters' do
-      expect(result.stdout).to match(
-        %r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - time" -j ACCEPT}, # rubocop:disable Metrics/LineLength
-      )
-    end
     it 'hashlimit_above is set' do
       regex_array = [%r{-A INPUT}, %r{-p tcp}, %r{--hashlimit-above 526\/sec}, %r{--hashlimit-mode srcip,dstip},
                      %r{--hashlimit-name above-ip6}, %r{--hashlimit-htable-gcinterval 10}, %r{-j ACCEPT}]
@@ -387,4 +367,27 @@ class { '::firewall': }
       end
     end
   end
+
+  describe 'test CT target attributes which are not available on some OS', unless:
+      (os[:family] == 'redhat' && (os[:release].start_with?('5', '6') || host_inventory['facter']['os']['name'] == 'OracleLinux')) || (host_inventory['facter']['os']['family'] == 'Suse') do
+    before(:all) do
+      pp = <<-PUPPETCODE
+          firewall { '1100 - ct_target tests - zone':
+            proto => 'all',
+            zone  => '4000',
+            jump  => 'CT',
+            chain => 'PREROUTING',
+            table => 'raw',
+          }
+      PUPPETCODE
+      apply_manifest(pp, catch_failures: true)
+      apply_manifest(pp, catch_changes: do_catch_changes)
+    end
+
+    let(:result) { shell('iptables-save') }
+
+    it 'zone is set' do
+      expect(result.stdout).to match(%r{-A PREROUTING -m comment --comment "1100 - ct_target tests - zone" -j CT --zone 4000})
+    end
+  end
 end
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
@@ -392,6 +392,17 @@
       src_type: ['! LOCAL'],
     },
   },
+  'physdev_negated' => {
+    line: '-A cali-POSTROUTING -o tunl0 -m comment --comment "010 cali:JHlpT-eSqR1TvyYm" -m physdev ! --physdev-is-in -j MASQUERADE',
+    table: 'filter',
+    params: {
+      chain: 'cali-POSTROUTING',
+      outiface: 'tunl0',
+      name: '010 cali:JHlpT-eSqR1TvyYm',
+      jump: 'MASQUERADE',
+      physdev_is_in: '! ',
+    },
+  },
   'addrtype_multiple' => {
     line: '-A cali-POSTROUTING -o tunl0 -m comment --comment "000 cali:JHlpT-eSqR1TvyYm" -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE',
     table: 'filter',

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -29,6 +29,11 @@
   end
 end
 
+# read default_facts and merge them over what is provided by facterdb
+default_facts.each do |fact, value|
+  add_custom_fact fact, value
+end
+
 RSpec.configure do |c|
   c.default_facts = default_facts
   c.before :each do
@@ -42,6 +47,8 @@
   end
 end
 
+# Ensures that a module is defined
+# @param module_name Name of the module
 def ensure_module_defined(module_name)
   module_name.split('::').reduce(Object) do |last_module, next_module|
     last_module.const_set(next_module, Module.new) unless last_module.const_defined?(next_module, false)

diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
@@ -11,7 +11,7 @@ def iptables_flush_all_tables
 end
 
 def ip6tables_flush_all_tables
-  ['filter', 'mangle'].each do |t|
+  ['filter', 'mangle', 'raw'].each do |t|
     expect(shell("ip6tables -t #{t} -F").stderr).to eq('')
   end
 end

diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb
@@ -558,6 +558,13 @@
     end
   end
 
+  describe 'ct_target' do
+    it 'allows me to set zone' do
+      resource[:zone] = 4000
+      expect(resource[:zone]).to be 4000
+    end
+  end
+
   [:chain, :jump].each do |param|
     describe param do
       it 'autorequires fwchain when table and provider are undefined' do