ruleset: correct mangle_output chain type

Use the `route` chain type for the `mangle_output` chain since rules in
this chain influence egress packet routing.

Fixes: #9955
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 0142d5afa93368521bf865c2edb6a153e0dadc05..faf8bed808798f37808b6e9665011d1513b038a3 100644 (file)
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -362,7 +362,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
 {% for (let rule in fw4.rules("mangle_output")): %}
                {%+ include("rule.uc", { fw4, rule }) %}
 {% endfor %}

diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset
index 65cddd174292f5e34d721f6dbcc306bf5695025f..8621993f434e016ee9d4213e4b3071321ed000dd 100644 (file)
--- a/tests/01_configuration/01_ruleset
+++ b/tests/01_configuration/01_ruleset
@@ -266,7 +266,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order
index 2778cce805de2bdbf8ba975c4c2b73e6d4721361..860989a31b321739b8616b399b857bcbbf809639 100644 (file)
--- a/tests/01_configuration/02_rule_order
+++ b/tests/01_configuration/02_rule_order
@@ -215,7 +215,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies
index 7336df53bcbfd53e5087cd3382bf15648ab43c4a..36608939dde4b685b8a2eedab3e1f3080a3dbe4c 100644 (file)
--- a/tests/02_zones/01_policies
+++ b/tests/02_zones/01_policies
@@ -241,7 +241,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq
index 02f52cb4ddac38f85e494f8197138545c62c6bf1..0612a71ee62df34bc118b664fc5ab847ffdfd123 100644 (file)
--- a/tests/02_zones/02_masq
+++ b/tests/02_zones/02_masq
@@ -249,7 +249,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions
index 27208afb947c5d4dcbe10de319dbf2359872eda8..8e2fcce3cefc39d33e7f502e571fa1da489dc13c 100644 (file)
--- a/tests/02_zones/03_masq_src_dest_restrictions
+++ b/tests/02_zones/03_masq_src_dest_restrictions
@@ -245,7 +245,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices
index ad38734e2b1fd5eb9be34799c36624f139c64080..125bc2701e59a06caccc2e77ef7216468c85bc57 100644 (file)
--- a/tests/02_zones/04_wildcard_devices
+++ b/tests/02_zones/04_wildcard_devices
@@ -341,7 +341,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches
index 54a86a1d99a6bc59b9056b06bb96ee042647e8d3..f4cbc302c9e62697f303d18b0cbf41d8d7b5515a 100644 (file)
--- a/tests/02_zones/05_subnet_mask_matches
+++ b/tests/02_zones/05_subnet_mask_matches
@@ -212,7 +212,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections
index ab6576340185a64cf36da11de5756d4db97f3caf..9b4d5d7d13c6eb40c667508722135c2b8de6d08f 100644 (file)
--- a/tests/02_zones/06_family_selections
+++ b/tests/02_zones/06_family_selections
@@ -281,7 +281,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction
index 7c6dd600aeae23978b3815e50597ff5d870a30b2..ba6bfdca5f555be0e3cac029988ad10d918ad869 100644 (file)
--- a/tests/03_rules/01_direction
+++ b/tests/03_rules/01_direction
@@ -146,7 +146,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled
index d6933c11c88a9feaba3ff18a5c1c36d900851a7e..64dbb1c9b67a819e426ef50b5940465db2416ca0 100644 (file)
--- a/tests/03_rules/02_enabled
+++ b/tests/03_rules/02_enabled
@@ -141,7 +141,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints
index db6cb88034e33fa7f656d3d3a22786a516e4cfa7..f92ef27b6405f30fc0fbd013387cefbd8daa9fe6 100644 (file)
--- a/tests/03_rules/03_constraints
+++ b/tests/03_rules/03_constraints
@@ -198,7 +198,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp
index a4e1346417b4a1a2e97231277cb0cc55dd2d055f..d50b8f3f870cffc67c63ddb4b6edcf4aa27c1a89 100644 (file)
--- a/tests/03_rules/04_icmp
+++ b/tests/03_rules/04_icmp
@@ -153,7 +153,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle
index 4f60557173ba57736d54d0da3bd5424b7e946529..9cd7b9fd97896ab890c8a236b4f104669fbab2ec 100644 (file)
--- a/tests/03_rules/05_mangle
+++ b/tests/03_rules/05_mangle
@@ -327,7 +327,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
                meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
                meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
                meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"

diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches
index 89b4f7b15221a282af7d37bfefef75c70f3d40a8..458fefb1b16790f7154d52dd319daf51ea6c1f1d 100644 (file)
--- a/tests/03_rules/06_subnet_mask_matches
+++ b/tests/03_rules/06_subnet_mask_matches
@@ -317,7 +317,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect
index 90b845bd2056839076ace34ec22587358c4e70ef..6beeafb54c2ce26696d49ba98037428ba32f0f36 100644 (file)
--- a/tests/03_rules/07_redirect
+++ b/tests/03_rules/07_redirect
@@ -353,7 +353,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance
index a1fd39f2eadd2079d1f27cec9cb98d005bc898cd..605c74b13023797b5aadbc7917de6d583099e5e1 100644 (file)
--- a/tests/03_rules/08_family_inheritance
+++ b/tests/03_rules/08_family_inheritance
@@ -304,7 +304,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {

diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections
index c7b03457cf6c2a80cc1fbe5473da7ca8ec0a5186..194d35a6e8557a4cfc5657ec7c1c5359eb80cf09 100644 (file)
--- a/tests/04_forwardings/01_family_selections
+++ b/tests/04_forwardings/01_family_selections
@@ -236,7 +236,7 @@ table inet fw4 {
        }
 
        chain mangle_output {
-               type filter hook output priority mangle; policy accept;
+               type route hook output priority mangle; policy accept;
        }
 
        chain mangle_forward {