From fb9a6b2ba85bb434e6634808fd4530ac2fb2c2c0 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Mon, 30 May 2022 20:59:27 +0200 Subject: [PATCH] ruleset: correct mangle_output chain type Use the `route` chain type for the `mangle_output` chain since rules in this chain influence egress packet routing. Fixes: #9955 Signed-off-by: Jo-Philipp Wich --- root/usr/share/firewall4/templates/ruleset.uc | 2 +- tests/01_configuration/01_ruleset | 2 +- tests/01_configuration/02_rule_order | 2 +- tests/02_zones/01_policies | 2 +- tests/02_zones/02_masq | 2 +- tests/02_zones/03_masq_src_dest_restrictions | 2 +- tests/02_zones/04_wildcard_devices | 2 +- tests/02_zones/05_subnet_mask_matches | 2 +- tests/02_zones/06_family_selections | 2 +- tests/03_rules/01_direction | 2 +- tests/03_rules/02_enabled | 2 +- tests/03_rules/03_constraints | 2 +- tests/03_rules/04_icmp | 2 +- tests/03_rules/05_mangle | 2 +- tests/03_rules/06_subnet_mask_matches | 2 +- tests/03_rules/07_redirect | 2 +- tests/03_rules/08_family_inheritance | 2 +- tests/04_forwardings/01_family_selections | 2 +- 18 files changed, 18 insertions(+), 18 deletions(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index 0142d5a..faf8bed 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -362,7 +362,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; {% for (let rule in fw4.rules("mangle_output")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset index 65cddd1..8621993 100644 --- a/tests/01_configuration/01_ruleset +++ b/tests/01_configuration/01_ruleset @@ -266,7 +266,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order index 2778cce..860989a 100644 --- a/tests/01_configuration/02_rule_order +++ b/tests/01_configuration/02_rule_order @@ -215,7 +215,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies index 7336df5..3660893 100644 --- a/tests/02_zones/01_policies +++ b/tests/02_zones/01_policies @@ -241,7 +241,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq index 02f52cb..0612a71 100644 --- a/tests/02_zones/02_masq +++ b/tests/02_zones/02_masq @@ -249,7 +249,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions index 27208af..8e2fcce 100644 --- a/tests/02_zones/03_masq_src_dest_restrictions +++ b/tests/02_zones/03_masq_src_dest_restrictions @@ -245,7 +245,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices index ad38734..125bc27 100644 --- a/tests/02_zones/04_wildcard_devices +++ b/tests/02_zones/04_wildcard_devices @@ -341,7 +341,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches index 54a86a1..f4cbc30 100644 --- a/tests/02_zones/05_subnet_mask_matches +++ b/tests/02_zones/05_subnet_mask_matches @@ -212,7 +212,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections index ab65763..9b4d5d7 100644 --- a/tests/02_zones/06_family_selections +++ b/tests/02_zones/06_family_selections @@ -281,7 +281,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction index 7c6dd60..ba6bfdc 100644 --- a/tests/03_rules/01_direction +++ b/tests/03_rules/01_direction @@ -146,7 +146,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled index d6933c1..64dbb1c 100644 --- a/tests/03_rules/02_enabled +++ b/tests/03_rules/02_enabled @@ -141,7 +141,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints index db6cb88..f92ef27 100644 --- a/tests/03_rules/03_constraints +++ b/tests/03_rules/03_constraints @@ -198,7 +198,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp index a4e1346..d50b8f3 100644 --- a/tests/03_rules/04_icmp +++ b/tests/03_rules/04_icmp @@ -153,7 +153,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle index 4f60557..9cd7b9f 100644 --- a/tests/03_rules/05_mangle +++ b/tests/03_rules/05_mangle @@ -327,7 +327,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7" meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7" meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7" diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches index 89b4f7b..458fefb 100644 --- a/tests/03_rules/06_subnet_mask_matches +++ b/tests/03_rules/06_subnet_mask_matches @@ -317,7 +317,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect index 90b845b..6beeafb 100644 --- a/tests/03_rules/07_redirect +++ b/tests/03_rules/07_redirect @@ -353,7 +353,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance index a1fd39f..605c74b 100644 --- a/tests/03_rules/08_family_inheritance +++ b/tests/03_rules/08_family_inheritance @@ -304,7 +304,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections index c7b0345..194d35a 100644 --- a/tests/04_forwardings/01_family_selections +++ b/tests/04_forwardings/01_family_selections @@ -236,7 +236,7 @@ table inet fw4 { } chain mangle_output { - type filter hook output priority mangle; policy accept; + type route hook output priority mangle; policy accept; } chain mangle_forward { -- 2.30.2