ruleset: correct mangle_output chain type

Use the `route` chain type for the `mangle_output` chain since rules in
this chain influence egress packet routing.

Fixes: #9955
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

18 files changed, 18 insertions, 18 deletions

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 0142d5a..faf8bed 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -362,7 +362,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 {% for (let rule in fw4.rules("mangle_output")): %}
 		{%+ include("rule.uc", { fw4, rule }) %}
 {% endfor %}
diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset
index 65cddd1..8621993 100644
--- a/tests/01_configuration/01_ruleset
+++ b/tests/01_configuration/01_ruleset
@@ -266,7 +266,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order
index 2778cce..860989a 100644
--- a/tests/01_configuration/02_rule_order
+++ b/tests/01_configuration/02_rule_order
@@ -215,7 +215,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies
index 7336df5..3660893 100644
--- a/tests/02_zones/01_policies
+++ b/tests/02_zones/01_policies
@@ -241,7 +241,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq
index 02f52cb..0612a71 100644
--- a/tests/02_zones/02_masq
+++ b/tests/02_zones/02_masq
@@ -249,7 +249,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions
index 27208af..8e2fcce 100644
--- a/tests/02_zones/03_masq_src_dest_restrictions
+++ b/tests/02_zones/03_masq_src_dest_restrictions
@@ -245,7 +245,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices
index ad38734..125bc27 100644
--- a/tests/02_zones/04_wildcard_devices
+++ b/tests/02_zones/04_wildcard_devices
@@ -341,7 +341,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches
index 54a86a1..f4cbc30 100644
--- a/tests/02_zones/05_subnet_mask_matches
+++ b/tests/02_zones/05_subnet_mask_matches
@@ -212,7 +212,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections
index ab65763..9b4d5d7 100644
--- a/tests/02_zones/06_family_selections
+++ b/tests/02_zones/06_family_selections
@@ -281,7 +281,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction
index 7c6dd60..ba6bfdc 100644
--- a/tests/03_rules/01_direction
+++ b/tests/03_rules/01_direction
@@ -146,7 +146,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled
index d6933c1..64dbb1c 100644
--- a/tests/03_rules/02_enabled
+++ b/tests/03_rules/02_enabled
@@ -141,7 +141,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints
index db6cb88..f92ef27 100644
--- a/tests/03_rules/03_constraints
+++ b/tests/03_rules/03_constraints
@@ -198,7 +198,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp
index a4e1346..d50b8f3 100644
--- a/tests/03_rules/04_icmp
+++ b/tests/03_rules/04_icmp
@@ -153,7 +153,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle
index 4f60557..9cd7b9f 100644
--- a/tests/03_rules/05_mangle
+++ b/tests/03_rules/05_mangle
@@ -327,7 +327,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 		meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
 		meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
 		meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches
index 89b4f7b..458fefb 100644
--- a/tests/03_rules/06_subnet_mask_matches
+++ b/tests/03_rules/06_subnet_mask_matches
@@ -317,7 +317,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect
index 90b845b..6beeafb 100644
--- a/tests/03_rules/07_redirect
+++ b/tests/03_rules/07_redirect
@@ -353,7 +353,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance
index a1fd39f..605c74b 100644
--- a/tests/03_rules/08_family_inheritance
+++ b/tests/03_rules/08_family_inheritance
@@ -304,7 +304,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {
diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections
index c7b0345..194d35a 100644
--- a/tests/04_forwardings/01_family_selections
+++ b/tests/04_forwardings/01_family_selections
@@ -236,7 +236,7 @@ table inet fw4 {
 	}
 
 	chain mangle_output {
-		type filter hook output priority mangle; policy accept;
+		type route hook output priority mangle; policy accept;
 	}
 
 	chain mangle_forward {