Hi!
DSCP rules can only be created by specifying option src.
But option src doesn't apply any interface/zone to the rule.
It always creates a generic rule in the PREROUTING chain.
(can be workaround with option extra -i "interface")
Specifying option dest 'wan' and not option src to create an output rule throws a warning and the rule is not created.
Specifying no option dest or no option src throws a warning but the output rule is created fine.
and off topic:
What is the purpose of option reload_set (when using ipsets)?
Setting this to true or false makes no difference. The set(s) are always destroyed and recreated.
How to make fw3 reload the set with the existing entries?
config rule
option name 'DSCP-LAN-IPSET-TEST'
option family 'ipv4'
option proto 'tcp'
option src 'lan'
option ipset 'TEST dest'
option set_dscp 'CS1'
option target 'DSCP'
iptables-save | grep 'DSCP-LAN-IPSET-TEST'
-A PREROUTING -p tcp -m set --match-set TEST dst -m comment --comment "!fw3: DSCP-LAN-IPSET-TEST" -j DSCP --set-dscp 0x08
No interface is applied (or interface/zone specific DSCP target)
If someone wants to create an OUTPUT rule, usually only dest 'wan' without src is used.
But fw3 throws an error that (only) dest can not be used with target DSCP.
As far as I know there is no interface specific chain in mangle table, so I don't find it weird that it is applied in generic prerouting.
Other than that, the point of DSCP target is to change the dscp value in a packet. So it is kinda pointless in OUTPUT chain. If you want a specific dscp value in a packet you originate, then originate it with that dscp from the beginning.
But there should be interface specific chains.
For example, when you have multiple zones and only want to tag traffic from a specific zone.
Why is it pointless to set DSCP Tags on traffic that is originating from the router/device itself?
Not all application support directly setting DSCP tags.