},
{
- ".description": "DSCP rules must not specify a destination",
+ ".description": "DSCP target rules require a set_dscp option",
"proto": "any",
- "name": "DSCP rule #1",
- "dest": "*",
- "target": "dscp"
- },
- {
- ".description": "DSCP rules require a set_dscp option",
- "proto": "any",
- "name": "DSCP rule #2",
+ "name": "DSCP target rule #1",
"target": "dscp"
},
{
- ".description": "Mark rules must not specify a destination",
+ ".description": "DSCP matches enforce AF specific rules due to required ip/ip6 prefix",
"proto": "any",
- "name": "Mark rule #1",
- "dest": "*",
- "target": "mark"
+ "name": "DSCP match rule #1",
+ "dscp": "0x0"
},
+
{
".description": "Mark rules require a set_xmark or set_mark option",
"proto": "any",
- "name": "Mark rule #2",
+ "name": "Mark rule #1",
"target": "mark"
},
]
[!] Section @rule[0] (Helper rule #1) must specify a source zone for target 'helper'
[!] Section @rule[1] (Helper rule #2) must specify option 'set_helper' for target 'helper'
[!] Section @rule[2] (Notrack rule) must specify a source zone for target 'notrack'
-[!] Section @rule[3] (DSCP rule #1) must not specify option 'dest' for target 'dscp'
-[!] Section @rule[4] (DSCP rule #2) must specify option 'set_dscp' for target 'dscp'
-[!] Section @rule[5] (Mark rule #1) must not specify option 'dest' for target 'mark'
-[!] Section @rule[6] (Mark rule #2) must specify option 'set_mark' or 'set_xmark' for target 'mark'
+[!] Section @rule[3] (DSCP target rule #1) must specify option 'set_dscp' for target 'dscp'
+[!] Section @rule[5] (Mark rule #1) must specify option 'set_mark' or 'set_xmark' for target 'mark'
-- End --
-- Expect stdout --
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+ meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1"
+ meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1"
+ }
+
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
}
chain handle_reject {
jump drop_to_lan
}
+ chain helper_lan {
+ }
+
chain drop_from_lan {
}
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
type filter hook output priority raw; policy accept;
}
- chain helper_lan {
- }
-
#
# Mangle rules
type filter hook prerouting priority mangle; policy accept;
}
+ chain mangle_postrouting {
+ type filter hook postrouting priority mangle; policy accept;
+ }
+
+ chain mangle_input {
+ type filter hook input priority mangle; policy accept;
+ }
+
chain mangle_output {
- type filter hook output priority mangle; policy accept;
+ type route hook output priority mangle; policy accept;
}
chain mangle_forward {
projects / project / firewall4.git / blobdiff