{%+ if (rule.mark && rule.mark.mask == 0xFFFFFFFF): -%}
meta mark{% if (rule.mark.invert): %} !={% endif %} {{ fw4.hex(rule.mark.mark) }} {%+ endif -%}
{%+ if (rule.dscp): -%}
- dscp{% if (rule.dscp.invert): %} !={% endif %} {{ fw4.hex(rule.dscp.dscp) }} {%+ endif -%}
+ {{ fw4.ipproto(rule.family) }} dscp{% if (rule.dscp.invert): %} !={% endif %} {{ fw4.hex(rule.dscp.dscp) }} {%+ endif -%}
{%+ if (rule.ipset): -%}
{{ fw4.concat(rule.ipset.fields) }}{{
rule.ipset.invert ? ' !=' : ''
sip = subnets_split_af(rule.src_ip);
dip = subnets_split_af(rule.dest_ip);
- let has_ipv4_specifics = (length(sip[0]) || length(dip[0]) || length(itypes4));
- let has_ipv6_specifics = (length(sip[1]) || length(dip[1]) || length(itypes6));
+ let has_ipv4_specifics = (length(sip[0]) || length(dip[0]) || length(itypes4) || rule.dscp !== null);
+ let has_ipv6_specifics = (length(sip[1]) || length(dip[1]) || length(itypes6) || rule.dscp !== null);
/* if no family was configured, infer target family from IP addresses */
if (family === null) {
},
{
- ".description": "DSCP rules require a set_dscp option",
+ ".description": "DSCP target rules require a set_dscp option",
"proto": "any",
- "name": "DSCP rule #1",
+ "name": "DSCP target rule #1",
"target": "dscp"
},
+ {
+ ".description": "DSCP matches enforce AF specific rules due to required ip/ip6 prefix",
+ "proto": "any",
+ "name": "DSCP match rule #1",
+ "dscp": "0x0"
+ },
+
{
".description": "Mark rules require a set_xmark or set_mark option",
"proto": "any",
[!] Section @rule[0] (Helper rule #1) must specify a source zone for target 'helper'
[!] Section @rule[1] (Helper rule #2) must specify option 'set_helper' for target 'helper'
[!] Section @rule[2] (Notrack rule) must specify a source zone for target 'notrack'
-[!] Section @rule[3] (DSCP rule #1) must specify option 'set_dscp' for target 'dscp'
-[!] Section @rule[4] (Mark rule #1) must specify option 'set_mark' or 'set_xmark' for target 'mark'
+[!] Section @rule[3] (DSCP target rule #1) must specify option 'set_dscp' for target 'dscp'
+[!] Section @rule[5] (Mark rule #1) must specify option 'set_mark' or 'set_xmark' for target 'mark'
-- End --
-- Expect stdout --
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+ meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1"
+ meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1"
}
chain handle_reject {