iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 10
root@repeater:~# iptables -L -vt mangle
Chain PREROUTING (policy ACCEPT 28462 packets, 13M bytes)
pkts bytes target prot opt in out source destination
34156 6014K MARK all -- **eth1** any anywhere anywhere MARK set 0xa
I want to convert this rule into the firewall policy,
My lan network is mapped to eth1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward REJECT
config rule
option name 'MARKED RULES'
option src 'lan'
option target 'MARK'
option proto 'all'
option set_mark '0xa'
root@repeater:~# iptables -L -vt mangle
Chain PREROUTING (policy ACCEPT 166 packets, 27775 bytes)
pkts bytes target prot opt in out source destination
166 27775 MARK all -- **any** any anywhere anywhere /* !fw3: MARKED RULES */ MARK set 0xa
Why does my 'in' is set as any?
Had I missed something in the rules policy?
Thanks
Hmm, that would only happen if fw3 is unable to resolve the device of the lan interface through ubus.
Can you please run fw3 restart and look for warnings and errors near the top?
What is reported by ifstatus lan?
How is your lan configured in /etc/config/network?
I reset my router back to firstboot configuration and then add the below configure to the firewall file.
I have the same results where the rule does not have the interface name as 'in'.
config rule
option name 'MARKED RULES'
option src 'lan'
option target 'MARK'
option proto 'all'
option set_mark '0xa'
This has been a long-standing bug in handling MARK/DSCP targets, which makes it more difficult for people to migrate their policies (e.g. QOS) from custom iptables rules into the UCI firewall config.
I've fixed this with help from @jowhere, and hopefully it should be part of the 21.02 release. Only shame is that it took 3 years...
Good fix - I was playing with it yesterday and it's turned something previously unusable into something very usable.
I did note that it can be easy to generate a lot of (probably unnecessary) rules if one tries to get specific in the rules with respect to source and destination zones.
For example, my wan zone has 6 interfaces in it, so for dns, setting up one rule for my lan dns server <--> wan and then input and output rules for openwrt's dnsmasq to both wan and lan ended up generating a huge number of rules that I ultimately replaced with a single any <--> any rule