From the OpenWrt-devel mailing list... Dunno if a) you're aware of this, or b) if this is actually relevant... Rich > Begin forwarded message: > > From: Philip Prindeville > Subject: Re: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation > Date: March 21, 2021 at 11:23:04 PM EDT > To: Tony Ambardar > Cc: openwrt-devel@lists.openwrt.org > Sender: "openwrt-devel" > > Are you aware that many open source apps already do DSCP marking? > > I submitted the changes to Firefox, Thunderbird, Cyrus, Proftpd, Sendmail, Postfix, Curl, Wget, Apache... and this was more than 15 years ago. > > Why would you want to overwrite marking if it's already present? > > >> On Mar 21, 2021, at 7:06 PM, Tony Ambardar via openwrt-devel wrote: >> >> The sender domain has a DMARC Reject/Quarantine policy which disallows >> sending mailing list messages using the original "From" header. >> >> To mitigate this problem, the original message has been wrapped >> automatically by the mailing list software. >> From: Tony Ambardar >> Subject: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation >> Date: March 21, 2021 at 7:06:17 PM MDT >> To: openwrt-devel@lists.openwrt.org >> Cc: Jo-Philipp Wich , Tony Ambardar >> >> >> Currently, fw3 places all DSCP/MARK target rules into the PREROUTING chain, >> and accepts but ignores a src device. This behaviour is impractical for >> most common applications (e.g. QOS setup), since rules are applied to all >> devices and in all directions. Fix this generally by honouring src/dest >> device selection and placing the rules into the appropriate chain of the >> mangle table. >> >> These changes revealed the process of resolving zones to devices can add >> duplicates due to the presence of aliased interfaces. Fix this by filtering >> the fw3_zone->devices list during creation. >> >> Thanks go to Jo-Philipp Wich for sharing proof of concept code >> on IRC and providing additional review afterwards. >> >> Tony Ambardar (2): >> zone: avoid duplicates in devices list >> rules: fix device and chain usage for DSCP/MARK targets >> >> rules.c | 68 ++++++++++++++++++++++++++++++++++++--------------------- >> zones.c | 9 +++++++- >> 2 files changed, 51 insertions(+), 26 deletions(-) >> >> Testing >> ======= >> >> Regression testing was done to confirm the default OpenWrt firewall rules >> are unchanged before and after this patch. >> >> Functional testing was carried out using the UCI firewall rules below. This >> set of test cases would normally yield the following incorrect iptables >> rules (from iptables-save, sorted by test): >> >> -A PREROUTING -p udp -m udp --dport 1945 -m comment --comment "!fw3: Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00 >> -A PREROUTING -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff >> -A PREROUTING -p udp -m udp --dport 1965 -m comment --comment "!fw3: Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e >> -A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30 >> >> After this change, the resulting iptables rules use the expected devices >> and chains: >> >> -A PREROUTING -i br-lan -p udp -m udp --dport 1945 -m comment --comment "!fw3: Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00 >> -A FORWARD -i br-lan -o eth0 -p udp -m udp --dport 1950 -m comment --comment "!fw3: Test-2-Zone-Zone-FORW" -j DSCP --set-dscp 0x08 >> -A POSTROUTING -o eth0 -p tcp -m tcp --dport 1955 -m comment --comment "!fw3: Test-3-Any-Zone-POST" -j MARK --set-xmark 0x3/0xff >> -A FORWARD -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff >> -A INPUT -i br-lan -p udp -m udp --dport 1965 -m comment --comment "!fw3: Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e >> -A OUTPUT -o eth0 -p tcp -m tcp --dport 1970 -m comment --comment "!fw3: Test-6-Dev-Zone-OUT" -j MARK --set-xmark 0xf/0xff >> -A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30 >> >> UCI FW Rules >> ------------ >> >> config rule >> option enabled '1' >> option target 'DSCP' >> option set_dscp 'BE' >> option proto 'udp' >> option dest_port '1945' >> option name 'Test-1-Zone-Any-PRE' >> option src 'lan' >> option dest '*' >> >> config rule >> option enabled '1' >> option target 'DSCP' >> option set_dscp 'CS1' >> option proto 'udp' >> option dest_port '1950' >> option name 'Test-2-Zone-Zone-FORW' >> option src 'lan' >> option dest 'wan' >> >> config rule >> option enabled '1' >> option target 'MARK' >> option set_mark '0x03/0xff' >> option proto 'tcp' >> option dest_port '1955' >> option name 'Test-3-Any-Zone-POST' >> option src '*' >> option dest 'wan' >> >> config rule >> option enabled '1' >> option target 'MARK' >> option set_mark '0x07/0xff' >> option proto 'tcp' >> option dest_port '1960' >> option name 'Test-4-Any-Any-FORW' >> option src '*' >> option dest '*' >> >> config rule >> option enabled '1' >> option target 'DSCP' >> option set_dscp 'EF' >> option proto 'udp' >> option dest_port '1965' >> option name 'Test-5-Zone-Dev-IN' >> option src 'lan' >> >> config rule >> option enabled '1' >> option target 'MARK' >> option set_mark '0x0f/0xff' >> option proto 'tcp' >> option dest_port '1970' >> option name 'Test-6-Dev-Zone-OUT' >> option dest 'wan' >> >> config rule >> option enabled '1' >> option target 'DSCP' >> option set_dscp 'CS6' >> option proto 'udp' >> option dest_port '1975' >> option name 'Test-7-Dev-Dev-OUT' >> >> -- >> 2.25.1 >> >> >> >> >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel