Firewall rules to fw3

I have in my firewall.user file

iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 10

root@repeater:~# iptables -L -vt mangle
Chain PREROUTING (policy ACCEPT 28462 packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination
34156 6014K MARK       all  --  **eth1**  any     anywhere             anywhere             MARK set 0xa

I want to convert this rule into the firewall policy,
My lan network is mapped to eth1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT

config rule
        option name 'MARKED RULES'
        option src 'lan'
        option target 'MARK'
        option proto 'all'
        option set_mark '0xa'

root@repeater:~# iptables -L -vt mangle
Chain PREROUTING (policy ACCEPT 166 packets, 27775 bytes)
 pkts bytes target     prot opt in     out     source               destination
  166 27775 MARK       all  --  **any**    any     anywhere             anywhere             /* !fw3: MARKED RULES */ MARK set 0xa

Why does my 'in' is set as any?
Had I missed something in the rules policy?

I believe I saw a reply from @jow to a very similar question (involving marking and also dscp) a few days ago. Have you tried searching on the forum?

This is a link to that thread....

I have read the acticle, but Im not using dscp. My rule is similar to the suggested rule @jow


You can specify rules in /etc/config/firewall which set traffic marks, see in the “rules” section.

A classification rule would look like:

config rule
  option src wan
  option src_ip
  option proto all
  option target MARK
  option set_mark 123

Hmm, that would only happen if fw3 is unable to resolve the device of the lan interface through ubus.
Can you please run fw3 restart and look for warnings and errors near the top?
What is reported by ifstatus lan?
How is your lan configured in /etc/config/network?

1 Like

the only warning from fw3 print

root@repeater:/etc/config.repeater# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
 * Flushing IPv4 filter table

All the other commands checked out.
I think this is a bug which is easily reproducible

1 Like

I tried and I cannot reproduce it. For me the rule uses -i br-lan which corresponds to my lan network interface.

Which package responsible for FW3? I'm running Reboot (17.01.4, r3560-79f57e422d) incase I have an older version.


The package is called "firewall".

I reset my router back to firstboot configuration and then add the below configure to the firewall file.
I have the same results where the rule does not have the interface name as 'in'.

config rule
        option name 'MARKED RULES'
        option src 'lan'
        option target 'MARK'
        option proto 'all'
        option set_mark '0xa'

This has been a long-standing bug in handling MARK/DSCP targets, which makes it more difficult for people to migrate their policies (e.g. QOS) from custom iptables rules into the UCI firewall config.

I've fixed this with help from @jow here, and hopefully it should be part of the 21.02 release. Only shame is that it took 3 years...


Good fix - I was playing with it yesterday and it's turned something previously unusable into something very usable.

I did note that it can be easy to generate a lot of (probably unnecessary) rules if one tries to get specific in the rules with respect to source and destination zones.

For example, my wan zone has 6 interfaces in it, so for dns, setting up one rule for my lan dns server <--> wan and then input and output rules for openwrt's dnsmasq to both wan and lan ended up generating a huge number of rules that I ultimately replaced with a single any <--> any rule