ruleset: emit AF specific rules for DSCP matches

Since nftables `dscp` matches are IP family specific we must emit
separate IPv4 and IPv6 rules in case DSCP matches are present.

Ref: https://bugs.openwrt.org/index.php?do=details&task_id=4240
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

3 files changed, 16 insertions, 7 deletions

diff --git a/root/usr/share/firewall4/templates/rule.uc b/root/usr/share/firewall4/templates/rule.uc
index 5f1b696..c8bab59 100644
--- a/root/usr/share/firewall4/templates/rule.uc
+++ b/root/usr/share/firewall4/templates/rule.uc
@@ -56,7 +56,7 @@
 {%+ if (rule.mark && rule.mark.mask == 0xFFFFFFFF): -%}
 	meta mark{% if (rule.mark.invert): %} !={% endif %} {{ fw4.hex(rule.mark.mark) }} {%+ endif -%}
 {%+ if (rule.dscp): -%}
-	dscp{% if (rule.dscp.invert): %} !={% endif %} {{ fw4.hex(rule.dscp.dscp) }} {%+ endif -%}
+	{{ fw4.ipproto(rule.family) }} dscp{% if (rule.dscp.invert): %} !={% endif %} {{ fw4.hex(rule.dscp.dscp) }} {%+ endif -%}
 {%+ if (rule.ipset): -%}
 	{{ fw4.concat(rule.ipset.fields) }}{{
 		rule.ipset.invert ? ' !=' : ''
diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 113e4f5..0d1ece0 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2239,8 +2239,8 @@ return {
 			sip = subnets_split_af(rule.src_ip);
 			dip = subnets_split_af(rule.dest_ip);
 
-			let has_ipv4_specifics = (length(sip[0]) || length(dip[0]) || length(itypes4));
-			let has_ipv6_specifics = (length(sip[1]) || length(dip[1]) || length(itypes6));
+			let has_ipv4_specifics = (length(sip[0]) || length(dip[0]) || length(itypes4) || rule.dscp !== null);
+			let has_ipv6_specifics = (length(sip[1]) || length(dip[1]) || length(itypes6) || rule.dscp !== null);
 
 			/* if no family was configured, infer target family from IP addresses */
 			if (family === null) {
diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints
index a8e3f66..db6cb88 100644
--- a/tests/03_rules/03_constraints
+++ b/tests/03_rules/03_constraints
@@ -47,13 +47,20 @@ Testing various option constraints.
 		},
 
 		{
-			".description": "DSCP rules require a set_dscp option",
+			".description": "DSCP target rules require a set_dscp option",
 			"proto": "any",
-			"name": "DSCP rule #1",
+			"name": "DSCP target rule #1",
 			"target": "dscp"
 		},
 
 		{
+			".description": "DSCP matches enforce AF specific rules due to required ip/ip6 prefix",
+			"proto": "any",
+			"name": "DSCP match rule #1",
+			"dscp": "0x0"
+		},
+
+		{
 			".description": "Mark rules require a set_xmark or set_mark option",
 			"proto": "any",
 			"name": "Mark rule #1",
@@ -67,8 +74,8 @@ Testing various option constraints.
 [!] Section @rule[0] (Helper rule #1) must specify a source zone for target 'helper'
 [!] Section @rule[1] (Helper rule #2) must specify option 'set_helper' for target 'helper'
 [!] Section @rule[2] (Notrack rule) must specify a source zone for target 'notrack'
-[!] Section @rule[3] (DSCP rule #1) must specify option 'set_dscp' for target 'dscp'
-[!] Section @rule[4] (Mark rule #1) must specify option 'set_mark' or 'set_xmark' for target 'mark'
+[!] Section @rule[3] (DSCP target rule #1) must specify option 'set_dscp' for target 'dscp'
+[!] Section @rule[5] (Mark rule #1) must specify option 'set_mark' or 'set_xmark' for target 'mark'
 -- End --
 
 -- Expect stdout --
@@ -117,6 +124,8 @@ table inet fw4 {
 		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
 		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+		meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1"
+		meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1"
 	}
 
 	chain handle_reject {