FS#4240 - firewall4: dscp match requires ip/ip6 prepended #9221
Labels
Comments
|
jow-: Fix pushed with accompanying regression test in https://git.openwrt.org/?p=project/firewall4.git;a=commitdiff;h=127dbc0558bc730cdeac37cc2ac70bbe2d7e4117;hp=101988d2ec1fee6d37f57e99e31d37554918447e |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
dave14305:
Device: bcm2711, r18639-f5865452ac
Firewall rule with a dscp match fails to process due to missing ip or ip6 family prepended to the dscp expression.
My rule:
config ruleoption name 'WiFi Calling'
list proto 'udp'
option src ''
option src_port '4500'
option dest ''
option dest_port '4500'
option target 'DSCP'
option set_dscp 'CS6'
option dscp 'CS0'
Invalid statements:
chain mangle_forward {type filter hook forward priority mangle; policy accept;
meta nfproto ipv4 udp sport 4500 udp dport 4500 dscp 0x0 counter ip dscp set 0x30 comment "!fw4: WiFi Calling"
meta nfproto ipv6 udp sport 4500 udp dport 4500 dscp 0x0 counter ip6 dscp set 0x30 comment "!fw4: WiFi Calling"
}
Correct statements:
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
meta nfproto ipv4 udp sport 4500 udp dport 4500 ip dscp 0x0 counter ip dscp set 0x30 comment "!fw4: WiFi Calling"
meta nfproto ipv6 udp sport 4500 udp dport 4500 ip6 dscp 0x0 counter ip6 dscp set 0x30 comment "!fw4: WiFi Calling"
Old code:
{%+ if (rule.dscp): -%}
dscp{% if (rule.dscp.invert): %} !={% endif %} {{ fw4.hex(rule.dscp.dscp) }} {%+ endif -%}
New code:
{%+ if (rule.dscp): -%}{{ fw4.ipproto(rule.family) }} dscp{% if (rule.dscp.invert): %} !={% endif %} {{ fw4.hex(rule.dscp.dscp) }} {%+ endif -%}
The text was updated successfully, but these errors were encountered: