Ysurac / openmptcprouter

OpenMPTCProuter is an open source solution to aggregate multiple internet connections using Multipath TCP (MPTCP) on OpenWrt
https://www.openmptcprouter.com/
GNU General Public License v3.0
1.84k stars 265 forks source link

DSCP isn't working in v0.61-rc3 #3586

Open darkman1983 opened 3 weeks ago

darkman1983 commented 3 weeks ago

Expected Behavior

When i set DSCP rules in UI, they should be used.

Current Behavior

If i set a rule, for eg. Usenet (Port 563 for secure), DSCP isn't applied. I've monitored with tcpdump, but the DSCP flag isn't set. I already checked, that DSCP is working at all - and it is. For me it seems, that all standard rules, that ship with OpenMPTCPRouter are applied, but none of the rules i've added.

When i monitor the traffic on port 563, it's there, but no DSCP.

Is DSCP still not working? You marked it as fixed, i'm just wondering. Any help would be apriciated.

tcpdump -i eth0 -nn -vv 'tcp port 563'

20:23:53.374486 IP (tos 0x0, ttl 64, id 57700, offset 0, flags [DF], proto TCP (6), length 1500) 185.90.196.70.563 > 192.168.100.2.37444: Flags [.], cksum 0x576f (correct), seq 6683069:6684517, ack 1319, win 84, options [nop,nop,TS val 671939318 ecr 68279301], length 1448 20:23:53.374488 IP (tos 0x0, ttl 64, id 57701, offset 0, flags [DF], proto TCP (6), length 1500) 185.90.196.70.563 > 192.168.100.2.37444: Flags [.], cksum 0xa812 (correct), seq 6684517:6685965, ack 1319, win 84, options [nop,nop,TS val 671939318 ecr 68279301], length 1448 20:23:53.374489 IP (tos 0x0, ttl 64, id 57702, offset 0, flags [DF], proto TCP (6), length 1500) 185.90.196.70.563 > 192.168.100.2.37444: Flags [.], cksum 0x9cd6 (correct), seq 6685965:6687413, ack 1319, win 84, options [nop,nop,TS val 671939318 ecr 68279301], length 1448 20:23:53.374490 IP (tos 0x0, ttl 64, id 57703, offset 0, flags [DF], proto TCP (6), length 1500) 185.90.196.70.563 > 192.168.100.2.37444: Flags [.], cksum 0x0ce0 (correct), seq 6687413:6688861, ack 1319, win 84, options [nop,nop,TS val 671939318 ecr 68279301], length 1448 20:23:53.374491 IP (tos 0x0, ttl 64, id 57704, offset 0, flags [DF], proto TCP (6), length 1500) 185.90.196.70.563 > 192.168.100.2.37444: Flags [.], cksum 0x41be (correct), seq 6688861:6690309, ack 1319, win 84, options [nop,nop,TS val 671939318 ecr 68279301], length 1448 20:23:53.374492 IP (tos 0x0, ttl 64, id 57705, offset 0, flags [DF], proto TCP (6), length 1500) 185.90.196.70.563 > 192.168.100.2.37444: Flags [.], cksum 0xb425 (correct), seq 6690309:6691757, ack 1319, win 84, options [nop,nop,TS val 671939318 ecr 68279301], length 1448 20:23:53.374494 IP (tos 0x0, ttl 64, id 57706, offset 0, flags [DF], proto TCP (6), length 1500) 185.90.196.70.563 > 192.168.100.2.37444: Flags [.], cksum 0x0f6f (correct), seq 6691757:6693205, ack 1319, win 84, options [nop,nop,TS val 671939318 ecr 68279301], length 1448

As you can see: tos 0x0

image

And now: tcpdump -i eth0 -nn -vv 'ip[1] & 0xfc != 0 and not port 22'

20:30:17.565748 IP (tos 0x28, ttl 51, id 43491, offset 0, flags [DF], proto TCP (6), length 52) 194.28.98.129.44354 > 192.168.100.2.16127: Flags [.], cksum 0x421f (correct), seq 6, ack 5230, win 501, options [nop,nop,TS val 4041981868 ecr 3773024864], length 0 20:30:17.955428 IP (tos 0x28, ttl 51, id 43492, offset 0, flags [DF], proto TCP (6), length 52) 194.28.98.129.44354 > 192.168.100.2.16127: Flags [.], cksum 0x3d5b (correct), seq 6, ack 5663, win 501, options [nop,nop,TS val 4041982253 ecr 3773025266], length 0 20:30:18.641707 IP (tos 0x28, ttl 51, id 43493, offset 0, flags [DF], proto TCP (6), length 52) 194.28.98.129.44354 > 192.168.100.2.16127: Flags [.], cksum 0x36ce (correct), seq 6, ack 5989, win 501, options [nop,nop,TS val 4041982938 ecr 3773025932], length 0 20:30:18.729450 IP (tos 0xe0, ttl 115, id 0, offset 0, flags [none], proto ICMP (1), length 29) 216.58.206.46 > 192.168.100.2: ICMP echo reply, id 34550, seq 7, length 9 20:30:18.774467 IP (tos 0x28, ttl 51, id 43494, offset 0, flags [DF], proto TCP (6), length 52) 194.28.98.129.44354 > 192.168.100.2.16127: Flags [.], cksum 0x338b (correct), seq 6, ack 6528, win 501, options [nop,nop,TS val 4041983077 ecr 3773026089], length 0 20:30:18.864429 IP (tos 0x88, ttl 64, id 684, offset 0, flags [none], proto UDP (17), length 176) 192.168.100.2.43520 > 37.201.146.248.16202: [udp sum ok] UDP, length 148

Please help :-D

Specifications

darkman1983 commented 3 weeks ago

root@OpenMPTCProuter:~# uci show dscp dscp.@classify[0]=classify dscp.@classify[0].direction='both' dscp.@classify[0].proto='icmp' dscp.@classify[0].class='cs7' dscp.@classify[0].comment='ICMP' dscp.@classify[1]=classify dscp.@classify[1].direction='both' dscp.@classify[1].proto='udp' dscp.@classify[1].class='cs4' dscp.@classify[1].src_port='53,123,5353' dscp.@classify[1].comment='DNS udp and NTP' dscp.@classify[2]=classify dscp.@classify[2].direction='both' dscp.@classify[2].proto='tcp' dscp.@classify[2].class='cs4' dscp.@classify[2].src_port='53,5353' dscp.@classify[2].comment='DNS tcp' dscp.@classify[3]=classify dscp.@classify[3].direction='both' dscp.@classify[3].proto='tcp' dscp.@classify[3].class='cs4' dscp.@classify[3].dest_port='65500' dscp.@classify[3].comment='OMR API' dscp.@classify[4]=classify dscp.@classify[4].direction='both' dscp.@classify[4].proto='tcp' dscp.@classify[4].class='cs7' dscp.@classify[4].dest_port='65001,65301,65401,65011' dscp.@classify[4].comment='OMR vpn' dscp.@classify[5]=classify dscp.@classify[5].direction='both' dscp.@classify[5].proto='udp' dscp.@classify[5].class='cs7' dscp.@classify[5].dest_port='65001,65301' dscp.@classify[5].comment='OMR vpn' dscp.@classify[6]=classify dscp.@classify[6].direction='both' dscp.@classify[6].proto='tcp' dscp.@classify[6].class='cs6' dscp.@classify[6].dest_port='65101,65228' dscp.@classify[6].comment='OMR proxy' dscp.@domains[0]=domains dscp.@domains[0].name='googlevideo.com' dscp.@domains[0].class='cs4' dscp.@domains[1]=domains dscp.@domains[1].name='nflxvideo.net' dscp.@domains[1].class='cs4' dscp.@domains[2]=domains dscp.@domains[2].name='s3.ll.dash.row.aiv-cdn.net' dscp.@domains[2].class='cs4' dscp.@domains[3]=domains dscp.@domains[3].name='d25xi40x97liuc.cloudfront.net' dscp.@domains[3].class='cs4' dscp.@domains[4]=domains dscp.@domains[4].name='aiv-delivery.net' dscp.@domains[4].class='cs4' dscp.@domains[5]=domains dscp.@domains[5].name='fbcdn.net' dscp.@domains[5].class='cs4' dscp.@domains[6]=domains dscp.@domains[6].name='ttvnw.net' dscp.@domains[6].class='cs4' dscp.@domains[7]=domains dscp.@domains[7].name='vevo.com' dscp.@domains[7].class='cs4' dscp.@domains[8]=domains dscp.@domains[8].name='audio-fa.scdn.com' dscp.@domains[8].class='cs4' dscp.@domains[9]=domains dscp.@domains[9].name='deezer.com' dscp.@domains[9].class='cs4' dscp.@domains[10]=domains dscp.@domains[10].name='sndcdn.com' dscp.@domains[10].class='cs4' dscp.@domains[11]=domains dscp.@domains[11].name='last.fm' dscp.@domains[11].class='cs4' dscp.@domains[12]=domains dscp.@domains[12].name='v.redd.it' dscp.@domains[12].class='cs4' dscp.@domains[13]=domains dscp.@domains[13].name='ttvnw.net' dscp.@domains[13].class='cs4' dscp.@domains[14]=domains dscp.@domains[14].name='googletagmanager.com' dscp.@domains[14].class='cs2' dscp.@domains[15]=domains dscp.@domains[15].name='googleusercontent.com' dscp.@domains[15].class='cs2' dscp.@domains[16]=domains dscp.@domains[16].name='google.com' dscp.@domains[16].class='cs2' dscp.@domains[17]=domains dscp.@domains[17].name='fbcdn.net' dscp.@domains[17].class='cs2' dscp.@domains[18]=domains dscp.@domains[18].name='akamaihd.net' dscp.@domains[18].class='cs2' dscp.@domains[19]=domains dscp.@domains[19].name='whatsapp.net' dscp.@domains[19].class='cs2' dscp.@domains[20]=domains dscp.@domains[20].name='whatsapp.com' dscp.@domains[20].class='cs2' dscp.@domains[21]=domains dscp.@domains[21].name='zoom.us' dscp.@domains[21].class='cs2' dscp.@domains[22]=domains dscp.@domains[22].name='googleapis.com' dscp.@domains[22].class='cs2' dscp.@domains[23]=domains dscp.@domains[23].name='1e100.net' dscp.@domains[23].class='cs2' dscp.@domains[24]=domains dscp.@domains[24].name='hwcdn.net' dscp.@domains[24].class='cs2' dscp.@domains[25]=domains dscp.@domains[25].name='download.qq.com' dscp.@domains[25].class='cs1' dscp.@domains[26]=domains dscp.@domains[26].name='steamcontent.com' dscp.@domains[26].class='cs1' dscp.@domains[27]=domains dscp.@domains[27].name='gs2.ww.prod.dl.playstation.net' dscp.@domains[27].class='cs1' dscp.@domains[28]=domains dscp.@domains[28].name='dropbox.com' dscp.@domains[28].class='cs1' dscp.@domains[29]=domains dscp.@domains[29].name='dropboxstatic.com' dscp.@domains[29].class='cs1' dscp.@domains[30]=domains dscp.@domains[30].name='dropbox-dns.com' dscp.@domains[30].class='cs1' dscp.@domains[31]=domains dscp.@domains[31].name='log.getdropbox.com' dscp.@domains[31].class='cs1' dscp.@domains[32]=domains dscp.@domains[32].name='drive.google.com' dscp.@domains[32].class='cs1' dscp.@domains[33]=domains dscp.@domains[33].name='drive-thirdparty.googleusercontent.com' dscp.@domains[33].class='cs1' dscp.@domains[34]=domains dscp.@domains[34].name='docs.google.com' dscp.@domains[34].class='cs1' dscp.@domains[35]=domains dscp.@domains[35].name='docs.googleusercontent.com' dscp.@domains[35].class='cs1' dscp.@domains[36]=domains dscp.@domains[36].name='gvt1.com' dscp.@domains[36].class='cs1' dscp.@domains[37]=domains dscp.@domains[37].name='mmg-fna.whatsapp.net' dscp.@domains[37].class='cs1' dscp.@domains[38]=domains dscp.@domains[38].name='upload.youtube.com' dscp.@domains[38].class='cs1' dscp.@domains[39]=domains dscp.@domains[39].name='upload.video.google.com' dscp.@domains[39].class='cs1' dscp.@domains[40]=domains dscp.@domains[40].name='windowsupdate.com' dscp.@domains[40].class='cs1' dscp.@domains[41]=domains dscp.@domains[41].name='update.microsoft.com' dscp.@domains[41].class='cs1' dscp.@domains[42]=domains dscp.@domains[42].name='tv.milkywan.fr' dscp.@domains[42].class='cs5' dscp.@domains[43]=domains dscp.@domains[43].name='shadow.tech' dscp.@domains[43].class='cs4' dscp.@domains[44]=domains dscp.@domains[44].name='eu.shadow.tech' dscp.@domains[44].class='cs4' dscp.@domains[45]=domains dscp.@domains[45].name='ipv4-gpu-fish-rise-613323f7.frsbg01.compute.shadow.tech' dscp.@domains[45].class='cs7' dscp.@domains[46]=domains dscp.@domains[46].name='drive.shadow.tech' dscp.@domains[46].class='cs1' dscp.@domains[47]=domains dscp.@domains[47].name='api.eu.shadow.tech' dscp.@domains[47].class='cs2' dscp.@domains[48]=domains dscp.@domains[48].name='speedtest.frsbg01.shadow.tech' dscp.@domains[48].class='cs2' dscp.@domains[49]=domains dscp.@domains[49].name='dot.ffmuc.net' dscp.@domains[49].class='cs4' dscp.@domains[50]=domains dscp.@domains[50].name='dns.digitale-gesellschaft.ch' dscp.@domains[50].class='cs4' dscp.@domains[51]=domains dscp.@domains[51].name='dnsforge.de' dscp.@domains[51].class='cs4' dscp.@domains[52]=domains dscp.@domains[52].name='dns.quad9.net' dscp.@domains[52].class='cs4' dscp.@domains[53]=domains dscp.@domains[53].name='unfiltered.adguard-dns.com' dscp.@domains[53].class='cs4' dscp.@domains[54]=domains dscp.@domains[54].name='dns.njal.la' dscp.@domains[54].class='cs4' dscp.@domains[55]=domains dscp.@domains[55].name='base.dns.mullvad.net' dscp.@domains[55].class='cs4' dscp.@domains[56]=domains dscp.@domains[56].name='fngw-mcp-gc-livefn.ol.epicgames.com' dscp.@domains[56].class='cs4' dscp.@domains[57]=domains dscp.@domains[57].name='fn-service-discovery-live-public.ogs.live.on.epicgames.com' dscp.@domains[57].class='cs4' dscp.@domains[58]=domains dscp.@domains[58].name='fn-hotconfigs.ogs.live.on.epicgames.com' dscp.@domains[58].class='cs4' dscp.@domains[59]=domains dscp.@domains[59].name='fortnitewaitingroom-public-service-prod.ol.epicgames.com' dscp.@domains[59].class='cs4' dscp.@domains[60]=domains dscp.@domains[60].name='fortnite-matchmaking-public-service-live-nae.ol.epicgames.com' dscp.@domains[60].class='cs4' dscp.@classify[7]=classify dscp.@classify[7].direction='both' dscp.@classify[7].proto='udp' dscp.@classify[7].dest_port='3478-3479, 5060, 5062, 6250' dscp.@classify[7].class='ef' dscp.@classify[7].comment='High priority for Fortnite' dscp.@classify[8]=classify dscp.@classify[8].direction='both' dscp.@classify[8].proto='udp' dscp.@classify[8].dest_port='1119, 1118, 1117' dscp.@classify[8].class='ef' dscp.@classify[8].comment='High priority for Blizzard games traffic (both)' dscp.@classify[9]=classify dscp.@classify[9].direction='both' dscp.@classify[9].proto='all' dscp.@classify[9].dest_port='5200, 5201' dscp.@classify[9].class='ef' dscp.@classify[9].comment='High priority for Once Human traffic (both)' dscp.@classify[10]=classify dscp.@classify[10].direction='both' dscp.@classify[10].proto='all' dscp.@classify[10].dest_port='5600, 5601' dscp.@classify[10].class='ef' dscp.@classify[10].comment='High priority for Age of Wonders 4 traffic (both)' dscp.@classify[11]=classify dscp.@classify[11].direction='upload' dscp.@classify[11].proto='all' dscp.@classify[11].dest_port='6000, 6001' dscp.@classify[11].class='ef' dscp.@classify[11].comment='High priority for Black Myth Wukong traffic (both)' dscp.@classify[12]=classify dscp.@classify[12].direction='both' dscp.@classify[12].proto='all' dscp.@classify[12].class='cs1' dscp.@classify[12].comment='Low priority for Usenet traffic' dscp.@classify[12].dest_port='563' dscp.@domains[61]=domains dscp.@domains[61].name='news.eweka.nl' dscp.@domains[61].class='cs1'

root@OpenMPTCProuter:~# uci show dscp dscp.@classify[0]=classify dscp.@classify[0].direction='both' dscp.@classify[0].proto='icmp' dscp.@classify[0].class='cs7' dscp.@classify[0].comment='ICMP' dscp.@classify[1]=classify dscp.@classify[1].direction='both' dscp.@classify[1].proto='udp' dscp.@classify[1].class='cs4' dscp.@classify[1].src_port='53,123,5353' dscp.@classify[1].comment='DNS udp and NTP' dscp.@classify[2]=classify dscp.@classify[2].direction='both' dscp.@classify[2].proto='tcp' dscp.@classify[2].class='cs4' dscp.@classify[2].src_port='53,5353' dscp.@classify[2].comment='DNS tcp' dscp.@classify[3]=classify dscp.@classify[3].direction='both' dscp.@classify[3].proto='tcp' dscp.@classify[3].class='cs4' dscp.@classify[3].dest_port='65500' dscp.@classify[3].comment='OMR API' dscp.@classify[4]=classify dscp.@classify[4].direction='both' dscp.@classify[4].proto='tcp' dscp.@classify[4].class='cs7' dscp.@classify[4].dest_port='65001,65301,65401,65011' dscp.@classify[4].comment='OMR vpn' dscp.@classify[5]=classify dscp.@classify[5].direction='both' dscp.@classify[5].proto='udp' dscp.@classify[5].class='cs7' dscp.@classify[5].dest_port='65001,65301' dscp.@classify[5].comment='OMR vpn' dscp.@classify[6]=classify dscp.@classify[6].direction='both' dscp.@classify[6].proto='tcp' dscp.@classify[6].class='cs6' dscp.@classify[6].dest_port='65101,65228' dscp.@classify[6].comment='OMR proxy' dscp.@domains[0]=domains dscp.@domains[0].name='googlevideo.com' dscp.@domains[0].class='cs4' dscp.@domains[1]=domains dscp.@domains[1].name='nflxvideo.net' dscp.@domains[1].class='cs4' dscp.@domains[2]=domains dscp.@domains[2].name='s3.ll.dash.row.aiv-cdn.net' dscp.@domains[2].class='cs4' dscp.@domains[3]=domains dscp.@domains[3].name='d25xi40x97liuc.cloudfront.net' dscp.@domains[3].class='cs4' dscp.@domains[4]=domains dscp.@domains[4].name='aiv-delivery.net' dscp.@domains[4].class='cs4' dscp.@domains[5]=domains dscp.@domains[5].name='fbcdn.net' dscp.@domains[5].class='cs4' dscp.@domains[6]=domains dscp.@domains[6].name='ttvnw.net' dscp.@domains[6].class='cs4' dscp.@domains[7]=domains dscp.@domains[7].name='vevo.com' dscp.@domains[7].class='cs4' dscp.@domains[8]=domains dscp.@domains[8].name='audio-fa.scdn.com' dscp.@domains[8].class='cs4' dscp.@domains[9]=domains dscp.@domains[9].name='deezer.com' dscp.@domains[9].class='cs4' dscp.@domains[10]=domains dscp.@domains[10].name='sndcdn.com' dscp.@domains[10].class='cs4' dscp.@domains[11]=domains dscp.@domains[11].name='last.fm' dscp.@domains[11].class='cs4' dscp.@domains[12]=domains dscp.@domains[12].name='v.redd.it' dscp.@domains[12].class='cs4' dscp.@domains[13]=domains dscp.@domains[13].name='ttvnw.net' dscp.@domains[13].class='cs4' dscp.@domains[14]=domains dscp.@domains[14].name='googletagmanager.com' dscp.@domains[14].class='cs2' dscp.@domains[15]=domains dscp.@domains[15].name='googleusercontent.com' dscp.@domains[15].class='cs2' dscp.@domains[16]=domains dscp.@domains[16].name='google.com' dscp.@domains[16].class='cs2' dscp.@domains[17]=domains dscp.@domains[17].name='fbcdn.net' dscp.@domains[17].class='cs2' dscp.@domains[18]=domains dscp.@domains[18].name='akamaihd.net' dscp.@domains[18].class='cs2' dscp.@domains[19]=domains dscp.@domains[19].name='whatsapp.net' dscp.@domains[19].class='cs2' dscp.@domains[20]=domains dscp.@domains[20].name='whatsapp.com' dscp.@domains[20].class='cs2' dscp.@domains[21]=domains dscp.@domains[21].name='zoom.us' dscp.@domains[21].class='cs2' dscp.@domains[22]=domains dscp.@domains[22].name='googleapis.com' dscp.@domains[22].class='cs2' dscp.@domains[23]=domains dscp.@domains[23].name='1e100.net' dscp.@domains[23].class='cs2' dscp.@domains[24]=domains dscp.@domains[24].name='hwcdn.net' dscp.@domains[24].class='cs2' dscp.@domains[25]=domains dscp.@domains[25].name='download.qq.com' dscp.@domains[25].class='cs1' dscp.@domains[26]=domains dscp.@domains[26].name='steamcontent.com' dscp.@domains[26].class='cs1' dscp.@domains[27]=domains dscp.@domains[27].name='gs2.ww.prod.dl.playstation.net' dscp.@domains[27].class='cs1' dscp.@domains[28]=domains dscp.@domains[28].name='dropbox.com' dscp.@domains[28].class='cs1' dscp.@domains[29]=domains dscp.@domains[29].name='dropboxstatic.com' dscp.@domains[29].class='cs1' dscp.@domains[30]=domains dscp.@domains[30].name='dropbox-dns.com' dscp.@domains[30].class='cs1' dscp.@domains[31]=domains dscp.@domains[31].name='log.getdropbox.com' dscp.@domains[31].class='cs1' dscp.@domains[32]=domains dscp.@domains[32].name='drive.google.com' dscp.@domains[32].class='cs1' dscp.@domains[33]=domains dscp.@domains[33].name='drive-thirdparty.googleusercontent.com' dscp.@domains[33].class='cs1' dscp.@domains[34]=domains dscp.@domains[34].name='docs.google.com' dscp.@domains[34].class='cs1' dscp.@domains[35]=domains dscp.@domains[35].name='docs.googleusercontent.com' dscp.@domains[35].class='cs1' dscp.@domains[36]=domains dscp.@domains[36].name='gvt1.com' dscp.@domains[36].class='cs1' dscp.@domains[37]=domains dscp.@domains[37].name='mmg-fna.whatsapp.net' dscp.@domains[37].class='cs1' dscp.@domains[38]=domains dscp.@domains[38].name='upload.youtube.com' dscp.@domains[38].class='cs1' dscp.@domains[39]=domains dscp.@domains[39].name='upload.video.google.com' dscp.@domains[39].class='cs1' dscp.@domains[40]=domains dscp.@domains[40].name='windowsupdate.com' dscp.@domains[40].class='cs1' dscp.@domains[41]=domains dscp.@domains[41].name='update.microsoft.com' dscp.@domains[41].class='cs1' dscp.@domains[42]=domains dscp.@domains[42].name='tv.milkywan.fr' dscp.@domains[42].class='cs5' dscp.@domains[43]=domains dscp.@domains[43].name='shadow.tech' dscp.@domains[43].class='cs4' dscp.@domains[44]=domains dscp.@domains[44].name='eu.shadow.tech' dscp.@domains[44].class='cs4' dscp.@domains[45]=domains dscp.@domains[45].name='ipv4-gpu-fish-rise-613323f7.frsbg01.compute.shadow.tech' dscp.@domains[45].class='cs7' dscp.@domains[46]=domains dscp.@domains[46].name='drive.shadow.tech' dscp.@domains[46].class='cs1' dscp.@domains[47]=domains dscp.@domains[47].name='api.eu.shadow.tech' dscp.@domains[47].class='cs2' dscp.@domains[48]=domains dscp.@domains[48].name='speedtest.frsbg01.shadow.tech' dscp.@domains[48].class='cs2' dscp.@domains[49]=domains dscp.@domains[49].name='dot.ffmuc.net' dscp.@domains[49].class='cs4' dscp.@domains[50]=domains dscp.@domains[50].name='dns.digitale-gesellschaft.ch' dscp.@domains[50].class='cs4' dscp.@domains[51]=domains dscp.@domains[51].name='dnsforge.de' dscp.@domains[51].class='cs4' dscp.@domains[52]=domains dscp.@domains[52].name='dns.quad9.net' dscp.@domains[52].class='cs4' dscp.@domains[53]=domains dscp.@domains[53].name='unfiltered.adguard-dns.com' dscp.@domains[53].class='cs4' dscp.@domains[54]=domains dscp.@domains[54].name='dns.njal.la' dscp.@domains[54].class='cs4' dscp.@domains[55]=domains dscp.@domains[55].name='base.dns.mullvad.net' dscp.@domains[55].class='cs4' dscp.@domains[56]=domains dscp.@domains[56].name='fngw-mcp-gc-livefn.ol.epicgames.com' dscp.@domains[56].class='cs4' dscp.@domains[57]=domains dscp.@domains[57].name='fn-service-discovery-live-public.ogs.live.on.epicgames.com' dscp.@domains[57].class='cs4' dscp.@domains[58]=domains dscp.@domains[58].name='fn-hotconfigs.ogs.live.on.epicgames.com' dscp.@domains[58].class='cs4' dscp.@domains[59]=domains dscp.@domains[59].name='fortnitewaitingroom-public-service-prod.ol.epicgames.com' dscp.@domains[59].class='cs4' dscp.@domains[60]=domains dscp.@domains[60].name='fortnite-matchmaking-public-service-live-nae.ol.epicgames.com' dscp.@domains[60].class='cs4' dscp.@classify[7]=classify dscp.@classify[7].direction='both' dscp.@classify[7].proto='udp' dscp.@classify[7].dest_port='3478-3479, 5060, 5062, 6250' dscp.@classify[7].class='ef' dscp.@classify[7].comment='High priority for Fortnite' dscp.@classify[8]=classify dscp.@classify[8].direction='both' dscp.@classify[8].proto='udp' dscp.@classify[8].dest_port='1119, 1118, 1117' dscp.@classify[8].class='ef' dscp.@classify[8].comment='High priority for Blizzard games traffic (both)' dscp.@classify[9]=classify dscp.@classify[9].direction='both' dscp.@classify[9].proto='all' dscp.@classify[9].dest_port='5200, 5201' dscp.@classify[9].class='ef' dscp.@classify[9].comment='High priority for Once Human traffic (both)' dscp.@classify[10]=classify dscp.@classify[10].direction='both' dscp.@classify[10].proto='all' dscp.@classify[10].dest_port='5600, 5601' dscp.@classify[10].class='ef' dscp.@classify[10].comment='High priority for Age of Wonders 4 traffic (both)' dscp.@classify[11]=classify dscp.@classify[11].direction='upload' dscp.@classify[11].proto='all' dscp.@classify[11].dest_port='6000, 6001' dscp.@classify[11].class='ef' dscp.@classify[11].comment='High priority for Black Myth Wukong traffic (both)' dscp.@classify[12]=classify dscp.@classify[12].direction='both' dscp.@classify[12].proto='all' dscp.@classify[12].class='cs1' dscp.@classify[12].comment='Low priority for Usenet traffic' dscp.@classify[12].dest_port='563' dscp.@domains[61]=domains dscp.@domains[61].name='news.eweka.nl' dscp.@domains[61].class='cs1' root@OpenMPTCProuter:~# clear root@OpenMPTCProuter:~# uci show dhcp dhcp.@dnsmasq[0]=dnsmasq dhcp.@dnsmasq[0].domainneeded='1' dhcp.@dnsmasq[0].localise_queries='1' dhcp.@dnsmasq[0].rebind_protection='1' dhcp.@dnsmasq[0].rebind_localhost='1' dhcp.@dnsmasq[0].local='/lan/' dhcp.@dnsmasq[0].domain='lan' dhcp.@dnsmasq[0].expandhosts='1' dhcp.@dnsmasq[0].nonegcache='1' dhcp.@dnsmasq[0].cachesize='1000' dhcp.@dnsmasq[0].authoritative='1' dhcp.@dnsmasq[0].readethers='1' dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases' dhcp.@dnsmasq[0].localservice='1' dhcp.@dnsmasq[0].ednspacket_max='1232' dhcp.@dnsmasq[0].noresolv='1' dhcp.@dnsmasq[0].rebind_domain='plex.direct' dhcp.@dnsmasq[0].dnsforwardmax='1500' dhcp.@dnsmasq[0].server='127.0.0.1#5353' '/lan/' '/use-application-dns.net/' dhcp.lan=dhcp dhcp.lan.interface='lan' dhcp.lan.start='100' dhcp.lan.limit='150' dhcp.lan.leasetime='12h' dhcp.lan.dhcpv4='server' dhcp.lan.force='1' dhcp.lan.ndp='hybrid' dhcp.lan.ra='hybrid' dhcp.lan.dhcpv6='hybrid' dhcp.lan.ra_preference='high' dhcp.lan.ra_management='1' dhcp.lan.master='1' dhcp.wan=dhcp dhcp.wan.interface='wan' dhcp.wan.ignore='1' dhcp.odhcpd=odhcpd dhcp.odhcpd.maindhcp='0' dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd' dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update' dhcp.odhcpd.loglevel='4' dhcp.omr_dscp_cs0=ipset dhcp.omr_dscp_cs0.name='omr_dscp_cs0_4' dhcp.omr_dscp_cs1=ipset dhcp.omr_dscp_cs1.name='omr_dscp_cs1_4' dhcp.omr_dscp_cs1.domain='download.qq.com' 'steamcontent.com' 'gs2.ww.prod.dl.playstation.net' 'dropbox.com' 'dropboxstatic.com' 'dropbox-dns.com' 'log.getdropbox.com' 'drive.google.com' 'drive-thirdparty.googleusercontent.com' 'docs.google.com' 'docs.googleusercontent.com' 'gvt1.com' 'mmg-fna.whatsapp.net' 'upload.youtube.com' 'upload.video.google.com' 'windowsupdate.com' 'update.microsoft.com' 'drive.shadow.tech' 'news.eweka.nl' dhcp.omr_dscp_cs2=ipset dhcp.omr_dscp_cs2.name='omr_dscp_cs2_4' dhcp.omr_dscp_cs2.domain='googletagmanager.com' 'googleusercontent.com' 'google.com' 'fbcdn.net' 'akamaihd.net' 'whatsapp.net' 'whatsapp.com' 'zoom.us' 'googleapis.com' '1e100.net' 'hwcdn.net' 'api.eu.shadow.tech' 'speedtest.frsbg01.shadow.tech' dhcp.omr_dscp_cs3=ipset dhcp.omr_dscp_cs3.name='omr_dscp_cs3_4' dhcp.omr_dscp_cs4=ipset dhcp.omr_dscp_cs4.name='omr_dscp_cs4_4' dhcp.omr_dscp_cs4.domain='googlevideo.com' 'nflxvideo.net' 's3.ll.dash.row.aiv-cdn.net' 'd25xi40x97liuc.cloudfront.net' 'aiv-delivery.net' 'fbcdn.net' 'ttvnw.net' 'vevo.com' 'audio-fa.scdn.com' 'deezer.com' 'sndcdn.com' 'last.fm' 'v.redd.it' 'shadow.tech' 'eu.shadow.tech' 'dot.ffmuc.net' 'dns.digitale-gesellschaft.ch' 'dnsforge.de' 'dns.quad9.net' 'unfiltered.adguard-dns.com' 'dns.njal.la' 'base.dns.mullvad.net' 'fngw-mcp-gc-livefn.ol.epicgames.com' 'fn-service-discovery-live-public.ogs.live.on.epicgames.com' 'fn-hotconfigs.ogs.live.on.epicgames.com' 'fortnitewaitingroom-public-service-prod.ol.epicgames.com' 'fortnite-matchmaking-public-service-live-nae.ol.epicgames.com' dhcp.omr_dscp_cs5=ipset dhcp.omr_dscp_cs5.name='omr_dscp_cs5_4' dhcp.omr_dscp_cs5.domain='tv.milkywan.fr' dhcp.omr_dscp_cs6=ipset dhcp.omr_dscp_cs6.name='omr_dscp_cs6_4' dhcp.omr_dscp_cs7=ipset dhcp.omr_dscp_cs7.name='omr_dscp_cs7_4' dhcp.omr_dscp_cs7.domain='ipv4-gpu-fish-rise-613323f7.frsbg01.compute.shadow.tech' dhcp.omr_dscp_ef=ipset dhcp.omr_dscp_ef.name='omr_dscp_ef_4

root@OpenMPTCProuter:~# uci show firewall firewall.@defaults[0]=defaults firewall.@defaults[0].syn_flood='1' firewall.@defaults[0].input='REJECT' firewall.@defaults[0].output='REJECT' firewall.@defaults[0].forward='REJECT' firewall.@defaults[0].fullcone='0' firewall.@defaults[0].flow_offloading='0' firewall.@defaults[0].flow_offloading_hw='0' firewall.@defaults[0].disable_ipv6='0' firewall.zone_lan=zone firewall.zone_lan.name='lan' firewall.zone_lan.network='lan' firewall.zone_lan.input='ACCEPT' firewall.zone_lan.output='ACCEPT' firewall.zone_lan.forward='ACCEPT' firewall.zone_lan.auto_helper='1' firewall.zone_lan.mtu_fix='1' firewall.zone_wan=zone firewall.zone_wan.name='wan' firewall.zone_wan.input='REJECT' firewall.zone_wan.output='ACCEPT' firewall.zone_wan.forward='REJECT' firewall.zone_wan.fullcone4='0' firewall.zone_wan.fullcone6='0' firewall.zone_wan.masq='1' firewall.zone_wan.mtu_fix='1' firewall.zone_wan.auto_helper='1' firewall.zone_wan.network='wan1' 'wan2' firewall.@forwarding[0]=forwarding firewall.@forwarding[0].src='lan' firewall.@forwarding[0].dest='wan' firewall.@rule[0]=rule firewall.@rule[0].name='Allow-DHCP-Renew' firewall.@rule[0].src='wan' firewall.@rule[0].proto='udp' firewall.@rule[0].dest_port='68' firewall.@rule[0].target='ACCEPT' firewall.@rule[0].family='ipv4' firewall.@rule[1]=rule firewall.@rule[1].name='Allow-Ping' firewall.@rule[1].src='wan' firewall.@rule[1].proto='icmp' firewall.@rule[1].icmp_type='echo-request' firewall.@rule[1].family='ipv4' firewall.@rule[1].target='ACCEPT' firewall.@rule[2]=rule firewall.@rule[2].name='Allow-IGMP' firewall.@rule[2].src='wan' firewall.@rule[2].proto='igmp' firewall.@rule[2].family='ipv4' firewall.@rule[2].target='ACCEPT' firewall.@rule[3]=rule firewall.@rule[3].name='Allow-DHCPv6' firewall.@rule[3].src='wan' firewall.@rule[3].proto='udp' firewall.@rule[3].dest_port='546' firewall.@rule[3].family='ipv6' firewall.@rule[3].target='ACCEPT' firewall.@rule[4]=rule firewall.@rule[4].name='Allow-MLD' firewall.@rule[4].src='wan' firewall.@rule[4].proto='icmp' firewall.@rule[4].src_ip='fe80::/10' firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0' firewall.@rule[4].family='ipv6' firewall.@rule[4].target='ACCEPT' firewall.@rule[5]=rule firewall.@rule[5].name='Allow-ICMPv6-Forward' firewall.@rule[5].src='wan' firewall.@rule[5].dest='' firewall.@rule[5].proto='icmp' firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' firewall.@rule[5].limit='1000/sec' firewall.@rule[5].family='ipv6' firewall.@rule[5].target='ACCEPT' firewall.@rule[6]=rule firewall.@rule[6].name='Allow-IPSec-ESP' firewall.@rule[6].src='wan' firewall.@rule[6].dest='lan' firewall.@rule[6].proto='esp' firewall.@rule[6].target='ACCEPT' firewall.@rule[7]=rule firewall.@rule[7].name='Allow-ISAKMP' firewall.@rule[7].src='wan' firewall.@rule[7].dest='lan' firewall.@rule[7].dest_port='500' firewall.@rule[7].proto='udp' firewall.@rule[7].target='ACCEPT' firewall.@rule[8]=rule firewall.@rule[8].target='ACCEPT' firewall.@rule[8].name='Allow-All-LAN-to-VPN' firewall.@rule[8].dest='vpn' firewall.@rule[8].src='lan' firewall.@rule[8].proto='all' firewall.@rule[9]=rule firewall.@rule[9].target='ACCEPT' firewall.@rule[9].name='Allow-All-Ping' firewall.@rule[9].proto='icmp' firewall.@rule[9].dest='' firewall.@rule[9].src='' firewall.@rule[9].icmp_type='echo-request' firewall.@rule[9].limit='1000/sec' firewall.@rule[10]=rule firewall.@rule[10].target='ACCEPT' firewall.@rule[10].name='Allow-VPN-ICMP' firewall.@rule[10].proto='icmp' firewall.@rule[10].src='vpn' firewall.@rule[11]=rule firewall.@rule[11].target='ACCEPT' firewall.@rule[11].name='Allow-Lan-to-Wan' firewall.@rule[11].dest='wan' firewall.@rule[11].src='lan' firewall.@rule[11].proto='all' firewall.@rule[12]=rule firewall.@rule[12].target='ACCEPT' firewall.@rule[12].name='ICMPv6-Lan-to-OMR' firewall.@rule[12].src='lan' firewall.@rule[12].family='ipv6' firewall.@rule[12].proto='icmp' firewall.@rule[12].limit='1000/sec' firewall.@rule[12].icmp_type='echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded' firewall.omr_server=include firewall.omr_server.path='/etc/firewall.omr-server' firewall.gre_tunnel=include firewall.gre_tunnel.path='/etc/firewall.gre-tunnel' firewall.ttl=include firewall.ttl.path='/etc/firewall.ttl' firewall.fwlantovpn=forwarding firewall.fwlantovpn.src='lan' firewall.fwlantovpn.dest='vpn' firewall.blockquicproxy=rule firewall.blockquicproxy.name='Block QUIC Proxy' firewall.blockquicproxy.proto='udp' firewall.blockquicproxy.dest_port='443' firewall.blockquicproxy.target='DROP' firewall.blockquicproxy.src='lan' firewall.blockquicproxy.enabled='0' firewall.blockquicall=rule firewall.blockquicall.name='Block QUIC All' firewall.blockquicall.proto='udp' firewall.blockquicall.src='' firewall.blockquicall.dest='' firewall.blockquicall.dest_port='443' firewall.blockquicall.target='DROP' firewall.blockquicall.enabled='0' firewall.allowicmpipv6=rule firewall.allowicmpipv6.proto='icmp' firewall.allowicmpipv6.target='ACCEPT' firewall.allowicmpipv6.src='wan' firewall.allowicmpipv6.name='Allow IPv6 ICMP' firewall.allowicmpipv6.family='ipv6' firewall.allowicmpipv6.limit='1000/sec' firewall.allowicmpipv6.icmp_type='neighbour-advertisement neighbour-solicitation router-advertisement router-solicitation' firewall.allowdhcpv6546=rule firewall.allowdhcpv6546.target='ACCEPT' firewall.allowdhcpv6546.src='wan' firewall.allowdhcpv6546.proto='udp' firewall.allowdhcpv6546.dest_port='547' firewall.allowdhcpv6546.name='Allow DHCPv6 (546-to-547)' firewall.allowdhcpv6546.family='ipv6' firewall.allowdhcpv6546.src_port='546' firewall.allowdhcpv6547=rule firewall.allowdhcpv6547.target='ACCEPT' firewall.allowdhcpv6547.src='wan' firewall.allowdhcpv6547.proto='udp' firewall.allowdhcpv6547.dest_port='546' firewall.allowdhcpv6547.name='Allow DHCPv6 (547-to-546)' firewall.allowdhcpv6547.family='ipv6' firewall.allowdhcpv6547.src_port='547' firewall.omr_bypass=include firewall.omr_bypass.path='/etc/firewall.omr-bypass' firewall.omr_bypass.reload='0' firewall.omr_bypass.enabled='1' firewall.omr_bypass.type='script' firewall.omr_bypass.fw4_compatible='1' firewall.@redirect[0]=redirect firewall.@redirect[0].target='DNAT' firewall.@redirect[0].name='Alle' firewall.@redirect[0].src='vpn' firewall.@redirect[0].src_dport='0-64999' firewall.@redirect[0].dest='lan' firewall.@redirect[0].dest_ip='192.168.100.2' firewall.@redirect[0].dest_port='0-64999' firewall.upnp=include firewall.upnp.path='/etc/firewall.ttl' firewall.upnp.type='script' firewall.upnp.fw4_compatible='1' firewall.zone_vpn=zone firewall.zone_vpn.name='vpn' firewall.zone_vpn.masq='1' firewall.zone_vpn.input='REJECT' firewall.zone_vpn.forward='ACCEPT' firewall.zone_vpn.output='ACCEPT' firewall.zone_vpn.network='omrvpn' 'omr6in4' firewall.zone_vpn.mtu_fix='1' firewall.zone_vpn.auto_helper='1' firewall.user=include firewall.user.path='/etc/firewall.user' firewall.user.enabled='1' firewall.user.type='script' firewall.user.fw4_compatible='1' firewall.omr_dst_bypass_eth0_4=ipset firewall.omr_dst_bypass_eth0_4.name='omr_dst_bypass_eth0_4' firewall.omr_dst_bypass_eth0_4.match='dest_ip' firewall.omr_dst_bypass_eth0_4.family='ipv4' firewall.omr_dst_bypass_eth0_4.enabled='1' firewall.omr_dst_bypass_eth0_6=ipset firewall.omr_dst_bypass_eth0_6.name='omr_dst_bypass_eth0_6' firewall.omr_dst_bypass_eth0_6.match='dest_ip' firewall.omr_dst_bypass_eth0_6.family='ipv6' firewall.omr_dst_bypass_eth0_6.enabled='1' firewall.omr_dst_bypass_eth0_dstip_4=rule firewall.omr_dst_bypass_eth0_dstip_4.name='omr_dst_bypass_eth0_rule' firewall.omr_dst_bypass_eth0_dstip_4.ipset='omr_dst_bypass_eth0_4' firewall.omr_dst_bypass_eth0_dstip_4.target='MARK' firewall.omr_dst_bypass_eth0_dstip_4.src='lan' firewall.omr_dst_bypass_eth0_dstip_4.dest='' firewall.omr_dst_bypass_eth0_dstip_4.family='ipv4' firewall.omr_dst_bypass_eth0_dstip_4.enabled='0' firewall.omr_dst_bypass_eth0_dstip_4.set_mark='0x45399999' firewall.omr_dst_bypass_eth0_dstip_4_accept=rule firewall.omr_dst_bypass_eth0_dstip_4_accept.name='omr_dst_bypass_eth0_rule_accept' firewall.omr_dst_bypass_eth0_dstip_4_accept.target='ACCEPT' firewall.omr_dst_bypass_eth0_dstip_4_accept.dest='' firewall.omr_dst_bypass_eth0_dstip_4_accept.family='ipv4' firewall.omr_dst_bypass_eth0_dstip_4_accept.enabled='0' firewall.omr_dst_bypass_eth0_dstip_4_accept.mark='0x45399999' firewall.omr_dst_bypass_eth0_srcip_4=rule firewall.omr_dst_bypass_eth0_srcip_4.name='omr_dst_bypass_eth0_srcip' firewall.omr_dst_bypass_eth0_srcip_4.src='lan' firewall.omr_dst_bypass_eth0_srcip_4.dest='' firewall.omr_dst_bypass_eth0_srcip_4.family='ipv4' firewall.omr_dst_bypass_eth0_srcip_4.target='MARK' firewall.omr_dst_bypass_eth0_srcip_4.enabled='0' firewall.omr_dst_bypass_eth0_srcip_4.set_xmark='0x45399999' firewall.omr_dst_bypass_eth0_mac_4=rule firewall.omr_dst_bypass_eth0_mac_4.name='omr_dst_bypass_eth0_mac' firewall.omr_dst_bypass_eth0_mac_4.src='lan' firewall.omr_dst_bypass_eth0_mac_4.dest='' firewall.omr_dst_bypass_eth0_mac_4.target='MARK' firewall.omr_dst_bypass_eth0_mac_4.enabled='0' firewall.omr_dst_bypass_eth0_mac_4.set_xmark='0x45399999' firewall.omr_dst_bypass_eth0_srcport_tcp_4=rule firewall.omr_dst_bypass_eth0_srcport_tcp_4.name='omr_dst_bypass_eth0_srcport' firewall.omr_dst_bypass_eth0_srcport_tcp_4.proto='tcp' firewall.omr_dst_bypass_eth0_srcport_tcp_4.src='lan' firewall.omr_dst_bypass_eth0_srcport_tcp_4.dest='' firewall.omr_dst_bypass_eth0_srcport_tcp_4.target='MARK' firewall.omr_dst_bypass_eth0_srcport_tcp_4.enabled='0' firewall.omr_dst_bypass_eth0_srcport_tcp_4.set_xmark='0x45399999' firewall.omr_dst_bypass_eth0_srcport_udp_4=rule firewall.omr_dst_bypass_eth0_srcport_udp_4.name='omr_dst_bypass_eth0_srcport' firewall.omr_dst_bypass_eth0_srcport_udp_4.proto='udp' firewall.omr_dst_bypass_eth0_srcport_udp_4.src='lan' firewall.omr_dst_bypass_eth0_srcport_udp_4.dest='' firewall.omr_dst_bypass_eth0_srcport_udp_4.target='MARK' firewall.omr_dst_bypass_eth0_srcport_udp_4.enabled='0' firewall.omr_dst_bypass_eth0_srcport_udp_4.set_xmark='0x45399999' firewall.omr_dst_bypass_eth0_dstport_tcp_4=rule firewall.omr_dst_bypass_eth0_dstport_tcp_4.name='omr_dst_bypass_eth0_dstport' firewall.omr_dst_bypass_eth0_dstport_tcp_4.src='lan' firewall.omr_dst_bypass_eth0_dstport_tcp_4.dest='' firewall.omr_dst_bypass_eth0_dstport_tcp_4.target='MARK' firewall.omr_dst_bypass_eth0_dstport_tcp_4.enabled='0' firewall.omr_dst_bypass_eth0_dstport_tcp_4.set_xmark='0x45399999' firewall.omr_dst_bypass_eth0_dstport_udp_4=rule firewall.omr_dst_bypass_eth0_dstport_udp_4.name='omr_dst_bypass_eth0_dstport' firewall.omr_dst_bypass_eth0_dstport_udp_4.src='lan' firewall.omr_dst_bypass_eth0_dstport_udp_4.dest='' firewall.omr_dst_bypass_eth0_dstport_udp_4.target='MARK' firewall.omr_dst_bypass_eth0_dstport_udp_4.enabled='0' firewall.omr_dst_bypass_eth0_dstport_udp_4.set_xmark='0x45399999' firewall.omr_dst_bypass_eth1_4=ipset firewall.omr_dst_bypass_eth1_4.name='omr_dst_bypass_eth1_4' firewall.omr_dst_bypass_eth1_4.match='dest_ip' firewall.omr_dst_bypass_eth1_4.family='ipv4' firewall.omr_dst_bypass_eth1_4.enabled='1' firewall.omr_dst_bypass_eth1_6=ipset firewall.omr_dst_bypass_eth1_6.name='omr_dst_bypass_eth1_6' firewall.omr_dst_bypass_eth1_6.match='dest_ip' firewall.omr_dst_bypass_eth1_6.family='ipv6' firewall.omr_dst_bypass_eth1_6.enabled='1' firewall.omr_dst_bypass_eth1_dstip_4=rule firewall.omr_dst_bypass_eth1_dstip_4.name='omr_dst_bypass_eth1_rule' firewall.omr_dst_bypass_eth1_dstip_4.ipset='omr_dst_bypass_eth1_4' firewall.omr_dst_bypass_eth1_dstip_4.target='MARK' firewall.omr_dst_bypass_eth1_dstip_4.src='lan' firewall.omr_dst_bypass_eth1_dstip_4.dest='' firewall.omr_dst_bypass_eth1_dstip_4.family='ipv4' firewall.omr_dst_bypass_eth1_dstip_4.enabled='0' firewall.omr_dst_bypass_eth1_dstip_4.set_mark='0x45393' firewall.omr_dst_bypass_eth1_dstip_4_accept=rule firewall.omr_dst_bypass_eth1_dstip_4_accept.name='omr_dst_bypass_eth1_rule_accept' firewall.omr_dst_bypass_eth1_dstip_4_accept.target='ACCEPT' firewall.omr_dst_bypass_eth1_dstip_4_accept.dest='' firewall.omr_dst_bypass_eth1_dstip_4_accept.family='ipv4' firewall.omr_dst_bypass_eth1_dstip_4_accept.enabled='0' firewall.omr_dst_bypass_eth1_dstip_4_accept.mark='0x45393' firewall.omr_dst_bypass_eth1_srcip_4=rule firewall.omr_dst_bypass_eth1_srcip_4.name='omr_dst_bypass_eth1_srcip' firewall.omr_dst_bypass_eth1_srcip_4.src='lan' firewall.omr_dst_bypass_eth1_srcip_4.dest='' firewall.omr_dst_bypass_eth1_srcip_4.family='ipv4' firewall.omr_dst_bypass_eth1_srcip_4.target='MARK' firewall.omr_dst_bypass_eth1_srcip_4.enabled='0' firewall.omr_dst_bypass_eth1_srcip_4.set_xmark='0x45393' firewall.omr_dst_bypass_eth1_mac_4=rule firewall.omr_dst_bypass_eth1_mac_4.name='omr_dst_bypass_eth1_mac' firewall.omr_dst_bypass_eth1_mac_4.src='lan' firewall.omr_dst_bypass_eth1_mac_4.dest='' firewall.omr_dst_bypass_eth1_mac_4.target='MARK' firewall.omr_dst_bypass_eth1_mac_4.enabled='0' firewall.omr_dst_bypass_eth1_mac_4.set_xmark='0x45393' firewall.omr_dst_bypass_eth1_srcport_tcp_4=rule firewall.omr_dst_bypass_eth1_srcport_tcp_4.name='omr_dst_bypass_eth1_srcport' firewall.omr_dst_bypass_eth1_srcport_tcp_4.proto='tcp' firewall.omr_dst_bypass_eth1_srcport_tcp_4.src='lan' firewall.omr_dst_bypass_eth1_srcport_tcp_4.dest='' firewall.omr_dst_bypass_eth1_srcport_tcp_4.target='MARK' firewall.omr_dst_bypass_eth1_srcport_tcp_4.enabled='0' firewall.omr_dst_bypass_eth1_srcport_tcp_4.set_xmark='0x45393' firewall.omr_dst_bypass_eth1_srcport_udp_4=rule firewall.omr_dst_bypass_eth1_srcport_udp_4.name='omr_dst_bypass_eth1_srcport' firewall.omr_dst_bypass_eth1_srcport_udp_4.proto='udp' firewall.omr_dst_bypass_eth1_srcport_udp_4.src='lan' firewall.omr_dst_bypass_eth1_srcport_udp_4.dest='' firewall.omr_dst_bypass_eth1_srcport_udp_4.target='MARK' firewall.omr_dst_bypass_eth1_srcport_udp_4.enabled='0' firewall.omr_dst_bypass_eth1_srcport_udp_4.set_xmark='0x45393' firewall.omr_dst_bypass_eth1_dstport_tcp_4=rule firewall.omr_dst_bypass_eth1_dstport_tcp_4.name='omr_dst_bypass_eth1_dstport' firewall.omr_dst_bypass_eth1_dstport_tcp_4.src='lan' firewall.omr_dst_bypass_eth1_dstport_tcp_4.dest='' firewall.omr_dst_bypass_eth1_dstport_tcp_4.target='MARK' firewall.omr_dst_bypass_eth1_dstport_tcp_4.enabled='0' firewall.omr_dst_bypass_eth1_dstport_tcp_4.set_xmark='0x45393' firewall.omr_dst_bypass_eth1_dstport_udp_4=rule firewall.omr_dst_bypass_eth1_dstport_udp_4.name='omr_dst_bypass_eth1_dstport' firewall.omr_dst_bypass_eth1_dstport_udp_4.src='lan' firewall.omr_dst_bypass_eth1_dstport_udp_4.dest='' firewall.omr_dst_bypass_eth1_dstport_udp_4.target='MARK' firewall.omr_dst_bypass_eth1_dstport_udp_4.enabled='0' firewall.omr_dst_bypass_eth1_dstport_udp_4.set_xmark='0x45393' firewall.omr_dst_bypass_eth2_4=ipset firewall.omr_dst_bypass_eth2_4.name='omr_dst_bypass_eth2_4' firewall.omr_dst_bypass_eth2_4.match='dest_ip' firewall.omr_dst_bypass_eth2_4.family='ipv4' firewall.omr_dst_bypass_eth2_4.enabled='1' firewall.omr_dst_bypass_eth2_6=ipset firewall.omr_dst_bypass_eth2_6.name='omr_dst_bypass_eth2_6' firewall.omr_dst_bypass_eth2_6.match='dest_ip' firewall.omr_dst_bypass_eth2_6.family='ipv6' firewall.omr_dst_bypass_eth2_6.enabled='1' firewall.omr_dst_bypass_eth2_dstip_4=rule firewall.omr_dst_bypass_eth2_dstip_4.name='omr_dst_bypass_eth2_rule' firewall.omr_dst_bypass_eth2_dstip_4.ipset='omr_dst_bypass_eth2_4' firewall.omr_dst_bypass_eth2_dstip_4.target='MARK' firewall.omr_dst_bypass_eth2_dstip_4.src='lan' firewall.omr_dst_bypass_eth2_dstip_4.dest='' firewall.omr_dst_bypass_eth2_dstip_4.family='ipv4' firewall.omr_dst_bypass_eth2_dstip_4.enabled='0' firewall.omr_dst_bypass_eth2_dstip_4.set_mark='0x45394' firewall.omr_dst_bypass_eth2_dstip_4_accept=rule firewall.omr_dst_bypass_eth2_dstip_4_accept.name='omr_dst_bypass_eth2_rule_accept' firewall.omr_dst_bypass_eth2_dstip_4_accept.target='ACCEPT' firewall.omr_dst_bypass_eth2_dstip_4_accept.dest='' firewall.omr_dst_bypass_eth2_dstip_4_accept.family='ipv4' firewall.omr_dst_bypass_eth2_dstip_4_accept.enabled='0' firewall.omr_dst_bypass_eth2_dstip_4_accept.mark='0x45394' firewall.omr_dst_bypass_eth2_srcip_4=rule firewall.omr_dst_bypass_eth2_srcip_4.name='omr_dst_bypass_eth2_srcip' firewall.omr_dst_bypass_eth2_srcip_4.src='lan' firewall.omr_dst_bypass_eth2_srcip_4.dest='' firewall.omr_dst_bypass_eth2_srcip_4.family='ipv4' firewall.omr_dst_bypass_eth2_srcip_4.target='MARK' firewall.omr_dst_bypass_eth2_srcip_4.enabled='0' firewall.omr_dst_bypass_eth2_srcip_4.set_xmark='0x45394' firewall.omr_dst_bypass_eth2_mac_4=rule firewall.omr_dst_bypass_eth2_mac_4.name='omr_dst_bypass_eth2_mac' firewall.omr_dst_bypass_eth2_mac_4.src='lan' firewall.omr_dst_bypass_eth2_mac_4.dest='' firewall.omr_dst_bypass_eth2_mac_4.target='MARK' firewall.omr_dst_bypass_eth2_mac_4.enabled='0' firewall.omr_dst_bypass_eth2_mac_4.set_xmark='0x45394' firewall.omr_dst_bypass_eth2_srcport_tcp_4=rule firewall.omr_dst_bypass_eth2_srcport_tcp_4.name='omr_dst_bypass_eth2_srcport' firewall.omr_dst_bypass_eth2_srcport_tcp_4.proto='tcp' firewall.omr_dst_bypass_eth2_srcport_tcp_4.src='lan' firewall.omr_dst_bypass_eth2_srcport_tcp_4.dest='' firewall.omr_dst_bypass_eth2_srcport_tcp_4.target='MARK' firewall.omr_dst_bypass_eth2_srcport_tcp_4.enabled='0' firewall.omr_dst_bypass_eth2_srcport_tcp_4.set_xmark='0x45394' firewall.omr_dst_bypass_eth2_srcport_udp_4=rule firewall.omr_dst_bypass_eth2_srcport_udp_4.name='omr_dst_bypass_eth2_srcport' firewall.omr_dst_bypass_eth2_srcport_udp_4.proto='udp' firewall.omr_dst_bypass_eth2_srcport_udp_4.src='lan' firewall.omr_dst_bypass_eth2_srcport_udp_4.dest='' firewall.omr_dst_bypass_eth2_srcport_udp_4.target='MARK' firewall.omr_dst_bypass_eth2_srcport_udp_4.enabled='0' firewall.omr_dst_bypass_eth2_srcport_udp_4.set_xmark='0x45394' firewall.omr_dst_bypass_eth2_dstport_tcp_4=rule firewall.omr_dst_bypass_eth2_dstport_tcp_4.name='omr_dst_bypass_eth2_dstport' firewall.omr_dst_bypass_eth2_dstport_tcp_4.src='lan' firewall.omr_dst_bypass_eth2_dstport_tcp_4.dest='' firewall.omr_dst_bypass_eth2_dstport_tcp_4.target='MARK' firewall.omr_dst_bypass_eth2_dstport_tcp_4.enabled='0' firewall.omr_dst_bypass_eth2_dstport_tcp_4.set_xmark='0x45394' firewall.omr_dst_bypass_eth2_dstport_udp_4=rule firewall.omr_dst_bypass_eth2_dstport_udp_4.name='omr_dst_bypass_eth2_dstport' firewall.omr_dst_bypass_eth2_dstport_udp_4.src='lan' firewall.omr_dst_bypass_eth2_dstport_udp_4.dest='' firewall.omr_dst_bypass_eth2_dstport_udp_4.target='MARK' firewall.omr_dst_bypass_eth2_dstport_udp_4.enabled='0' firewall.omr_dst_bypass_eth2_dstport_udp_4.set_xmark='0x45394' firewall.omr_dst_bypass_tun0_4=ipset firewall.omr_dst_bypass_tun0_4.name='omr_dst_bypass_tun0_4' firewall.omr_dst_bypass_tun0_4.match='dest_ip' firewall.omr_dst_bypass_tun0_4.family='ipv4' firewall.omr_dst_bypass_tun0_4.enabled='1' firewall.omr_dst_bypass_tun0_6=ipset firewall.omr_dst_bypass_tun0_6.name='omr_dst_bypass_tun0_6' firewall.omr_dst_bypass_tun0_6.match='dest_ip' firewall.omr_dst_bypass_tun0_6.family='ipv6' firewall.omr_dst_bypass_tun0_6.enabled='1' firewall.omr_dst_bypass_tun0_dstip_4=rule firewall.omr_dst_bypass_tun0_dstip_4.name='omr_dst_bypass_tun0_rule' firewall.omr_dst_bypass_tun0_dstip_4.ipset='omr_dst_bypass_tun0_4' firewall.omr_dst_bypass_tun0_dstip_4.target='MARK' firewall.omr_dst_bypass_tun0_dstip_4.src='lan' firewall.omr_dst_bypass_tun0_dstip_4.dest='' firewall.omr_dst_bypass_tun0_dstip_4.family='ipv4' firewall.omr_dst_bypass_tun0_dstip_4.enabled='0' firewall.omr_dst_bypass_tun0_dstip_4.set_mark='0x45391500' firewall.omr_dst_bypass_tun0_dstip_4_accept=rule firewall.omr_dst_bypass_tun0_dstip_4_accept.name='omr_dst_bypass_tun0_rule_accept' firewall.omr_dst_bypass_tun0_dstip_4_accept.target='ACCEPT' firewall.omr_dst_bypass_tun0_dstip_4_accept.dest='' firewall.omr_dst_bypass_tun0_dstip_4_accept.family='ipv4' firewall.omr_dst_bypass_tun0_dstip_4_accept.enabled='0' firewall.omr_dst_bypass_tun0_dstip_4_accept.mark='0x45391500' firewall.omr_dst_bypass_tun0_srcip_4=rule firewall.omr_dst_bypass_tun0_srcip_4.name='omr_dst_bypass_tun0_srcip' firewall.omr_dst_bypass_tun0_srcip_4.src='lan' firewall.omr_dst_bypass_tun0_srcip_4.dest='' firewall.omr_dst_bypass_tun0_srcip_4.family='ipv4' firewall.omr_dst_bypass_tun0_srcip_4.target='MARK' firewall.omr_dst_bypass_tun0_srcip_4.enabled='0' firewall.omr_dst_bypass_tun0_srcip_4.set_xmark='0x45391500' firewall.omr_dst_bypass_tun0_mac_4=rule firewall.omr_dst_bypass_tun0_mac_4.name='omr_dst_bypass_tun0_mac' firewall.omr_dst_bypass_tun0_mac_4.src='lan' firewall.omr_dst_bypass_tun0_mac_4.dest='' firewall.omr_dst_bypass_tun0_mac_4.target='MARK' firewall.omr_dst_bypass_tun0_mac_4.enabled='0' firewall.omr_dst_bypass_tun0_mac_4.set_xmark='0x45391500' firewall.omr_dst_bypass_tun0_srcport_tcp_4=rule firewall.omr_dst_bypass_tun0_srcport_tcp_4.name='omr_dst_bypass_tun0_srcport' firewall.omr_dst_bypass_tun0_srcport_tcp_4.proto='tcp' firewall.omr_dst_bypass_tun0_srcport_tcp_4.src='lan' firewall.omr_dst_bypass_tun0_srcport_tcp_4.dest='' firewall.omr_dst_bypass_tun0_srcport_tcp_4.target='MARK' firewall.omr_dst_bypass_tun0_srcport_tcp_4.enabled='0' firewall.omr_dst_bypass_tun0_srcport_tcp_4.set_xmark='0x45391500' firewall.omr_dst_bypass_tun0_srcport_udp_4=rule firewall.omr_dst_bypass_tun0_srcport_udp_4.name='omr_dst_bypass_tun0_srcport' firewall.omr_dst_bypass_tun0_srcport_udp_4.proto='udp' firewall.omr_dst_bypass_tun0_srcport_udp_4.src='lan' firewall.omr_dst_bypass_tun0_srcport_udp_4.dest='' firewall.omr_dst_bypass_tun0_srcport_udp_4.target='MARK' firewall.omr_dst_bypass_tun0_srcport_udp_4.enabled='0' firewall.omr_dst_bypass_tun0_srcport_udp_4.set_xmark='0x45391500' firewall.omr_dst_bypass_tun0_dstport_tcp_4=rule firewall.omr_dst_bypass_tun0_dstport_tcp_4.name='omr_dst_bypass_tun0_dstport' firewall.omr_dst_bypass_tun0_dstport_tcp_4.src='lan' firewall.omr_dst_bypass_tun0_dstport_tcp_4.dest='' firewall.omr_dst_bypass_tun0_dstport_tcp_4.target='MARK' firewall.omr_dst_bypass_tun0_dstport_tcp_4.enabled='0' firewall.omr_dst_bypass_tun0_dstport_tcp_4.set_xmark='0x45391500' firewall.omr_dst_bypass_tun0_dstport_udp_4=rule firewall.omr_dst_bypass_tun0_dstport_udp_4.name='omr_dst_bypass_tun0_dstport' firewall.omr_dst_bypass_tun0_dstport_udp_4.src='lan' firewall.omr_dst_bypass_tun0_dstport_udp_4.dest='' firewall.omr_dst_bypass_tun0_dstport_udp_4.target='MARK' firewall.omr_dst_bypass_tun0_dstport_udp_4.enabled='0' firewall.omr_dst_bypass_tun0_dstport_udp_4.set_xmark='0x45391500' firewall.omr_dst_bypass_all_4=ipset firewall.omr_dst_bypass_all_4.name='omr_dst_bypass_all_4' firewall.omr_dst_bypass_all_4.match='dest_ip' firewall.omr_dst_bypass_all_4.family='ipv4' firewall.omr_dst_bypass_all_4.enabled='1' firewall.omr_dst_bypass_all_6=ipset firewall.omr_dst_bypass_all_6.name='omr_dst_bypass_all_6' firewall.omr_dst_bypass_all_6.match='dest_ip' firewall.omr_dst_bypass_all_6.family='ipv6' firewall.omr_dst_bypass_all_6.enabled='1' firewall.omr_dst_bypass_all_dstip_4=rule firewall.omr_dst_bypass_all_dstip_4.name='omr_dst_bypass_all_rule' firewall.omr_dst_bypass_all_dstip_4.ipset='omr_dst_bypass_all_4' firewall.omr_dst_bypass_all_dstip_4.target='MARK' firewall.omr_dst_bypass_all_dstip_4.src='lan' firewall.omr_dst_bypass_all_dstip_4.dest='' firewall.omr_dst_bypass_all_dstip_4.family='ipv4' firewall.omr_dst_bypass_all_dstip_4.enabled='0' firewall.omr_dst_bypass_all_dstip_4.set_mark='0x4539' firewall.omr_dst_bypass_all_dstip_4_accept=rule firewall.omr_dst_bypass_all_dstip_4_accept.name='omr_dst_bypass_all_rule_accept' firewall.omr_dst_bypass_all_dstip_4_accept.target='ACCEPT' firewall.omr_dst_bypass_all_dstip_4_accept.dest='' firewall.omr_dst_bypass_all_dstip_4_accept.family='ipv4' firewall.omr_dst_bypass_all_dstip_4_accept.enabled='0' firewall.omr_dst_bypass_all_dstip_4_accept.mark='0x4539' firewall.omr_dst_bypass_all_srcip_4=rule firewall.omr_dst_bypass_all_srcip_4.name='omr_dst_bypass_all_srcip' firewall.omr_dst_bypass_all_srcip_4.src='lan' firewall.omr_dst_bypass_all_srcip_4.dest='' firewall.omr_dst_bypass_all_srcip_4.family='ipv4' firewall.omr_dst_bypass_all_srcip_4.target='MARK' firewall.omr_dst_bypass_all_srcip_4.enabled='0' firewall.omr_dst_bypass_all_srcip_4.set_xmark='0x4539' firewall.omr_dst_bypass_all_mac_4=rule firewall.omr_dst_bypass_all_mac_4.name='omr_dst_bypass_all_mac' firewall.omr_dst_bypass_all_mac_4.src='lan' firewall.omr_dst_bypass_all_mac_4.dest='' firewall.omr_dst_bypass_all_mac_4.target='MARK' firewall.omr_dst_bypass_all_mac_4.enabled='0' firewall.omr_dst_bypass_all_mac_4.set_xmark='0x4539' firewall.omr_dst_bypass_all_srcport_tcp_4=rule firewall.omr_dst_bypass_all_srcport_tcp_4.name='omr_dst_bypass_all_srcport' firewall.omr_dst_bypass_all_srcport_tcp_4.proto='tcp' firewall.omr_dst_bypass_all_srcport_tcp_4.src='lan' firewall.omr_dst_bypass_all_srcport_tcp_4.dest='' firewall.omr_dst_bypass_all_srcport_tcp_4.target='MARK' firewall.omr_dst_bypass_all_srcport_tcp_4.enabled='0' firewall.omr_dst_bypass_all_srcport_tcp_4.set_xmark='0x4539' firewall.omr_dst_bypass_all_srcport_udp_4=rule firewall.omr_dst_bypass_all_srcport_udp_4.name='omr_dst_bypass_all_srcport' firewall.omr_dst_bypass_all_srcport_udp_4.proto='udp' firewall.omr_dst_bypass_all_srcport_udp_4.src='lan' firewall.omr_dst_bypass_all_srcport_udp_4.dest='' firewall.omr_dst_bypass_all_srcport_udp_4.target='MARK' firewall.omr_dst_bypass_all_srcport_udp_4.enabled='0' firewall.omr_dst_bypass_all_srcport_udp_4.set_xmark='0x4539' firewall.omr_dst_bypass_all_dstport_tcp_4=rule firewall.omr_dst_bypass_all_dstport_tcp_4.name='omr_dst_bypass_all_dstport' firewall.omr_dst_bypass_all_dstport_tcp_4.src='lan' firewall.omr_dst_bypass_all_dstport_tcp_4.dest='' firewall.omr_dst_bypass_all_dstport_tcp_4.target='MARK' firewall.omr_dst_bypass_all_dstport_tcp_4.enabled='0' firewall.omr_dst_bypass_all_dstport_tcp_4.set_xmark='0x4539' firewall.omr_dst_bypass_all_dstport_udp_4=rule firewall.omr_dst_bypass_all_dstport_udp_4.name='omr_dst_bypass_all_dstport' firewall.omr_dst_bypass_all_dstport_udp_4.src='lan' firewall.omr_dst_bypass_all_dstport_udp_4.dest='' firewall.omr_dst_bypass_all_dstport_udp_4.target='MARK' firewall.omr_dst_bypass_all_dstport_udp_4.enabled='0' firewall.omr_dst_bypass_all_dstport_udp_4.set_xmark='0x4539' firewall.omr_dscp_cs0_4=ipset firewall.omr_dscp_cs0_4.name='omr_dscp_cs0_4' firewall.omr_dscp_cs0_4.match='dest_ip' firewall.omr_dscp_rule_cs0_4=rule firewall.omr_dscp_rule_cs0_4.name='omr_dscp_cs0_4' firewall.omr_dscp_rule_cs0_4.ipset='omr_dscp_cs0_4' firewall.omr_dscp_rule_cs0_4.set_dscp='CS0' firewall.omr_dscp_rule_cs0_4.target='DSCP' firewall.omr_dscp_rule_cs0_4.src='' firewall.omr_dscp_rule_cs0_4.dest='' firewall.omr_dscp_cs1_4=ipset firewall.omr_dscp_cs1_4.name='omr_dscp_cs1_4' firewall.omr_dscp_cs1_4.match='dest_ip' firewall.omr_dscp_rule_cs1_4=rule firewall.omr_dscp_rule_cs1_4.name='omr_dscp_cs1_4' firewall.omr_dscp_rule_cs1_4.ipset='omr_dscp_cs1_4' firewall.omr_dscp_rule_cs1_4.set_dscp='CS1' firewall.omr_dscp_rule_cs1_4.target='DSCP' firewall.omr_dscp_rule_cs1_4.src='' firewall.omr_dscp_rule_cs1_4.dest='' firewall.omr_dscp_cs2_4=ipset firewall.omr_dscp_cs2_4.name='omr_dscp_cs2_4' firewall.omr_dscp_cs2_4.match='dest_ip' firewall.omr_dscp_rule_cs2_4=rule firewall.omr_dscp_rule_cs2_4.name='omr_dscp_cs2_4' firewall.omr_dscp_rule_cs2_4.ipset='omr_dscp_cs2_4' firewall.omr_dscp_rule_cs2_4.set_dscp='CS2' firewall.omr_dscp_rule_cs2_4.target='DSCP' firewall.omr_dscp_rule_cs2_4.src='' firewall.omr_dscp_rule_cs2_4.dest='' firewall.omr_dscp_cs3_4=ipset firewall.omr_dscp_cs3_4.name='omr_dscp_cs3_4' firewall.omr_dscp_cs3_4.match='dest_ip' firewall.omr_dscp_rule_cs3_4=rule firewall.omr_dscp_rule_cs3_4.name='omr_dscp_cs3_4' firewall.omr_dscp_rule_cs3_4.ipset='omr_dscp_cs3_4' firewall.omr_dscp_rule_cs3_4.set_dscp='CS3' firewall.omr_dscp_rule_cs3_4.target='DSCP' firewall.omr_dscp_rule_cs3_4.src='' firewall.omr_dscp_rule_cs3_4.dest='' firewall.omr_dscp_cs4_4=ipset firewall.omr_dscp_cs4_4.name='omr_dscp_cs4_4' firewall.omr_dscp_cs4_4.match='dest_ip' firewall.omr_dscp_rule_cs4_4=rule firewall.omr_dscp_rule_cs4_4.name='omr_dscp_cs4_4' firewall.omr_dscp_rule_cs4_4.ipset='omr_dscp_cs4_4' firewall.omr_dscp_rule_cs4_4.set_dscp='CS4' firewall.omr_dscp_rule_cs4_4.target='DSCP' firewall.omr_dscp_rule_cs4_4.src='' firewall.omr_dscp_rule_cs4_4.dest='' firewall.omr_dscp_cs5_4=ipset firewall.omr_dscp_cs5_4.name='omr_dscp_cs5_4' firewall.omr_dscp_cs5_4.match='dest_ip' firewall.omr_dscp_rule_cs5_4=rule firewall.omr_dscp_rule_cs5_4.name='omr_dscp_cs5_4' firewall.omr_dscp_rule_cs5_4.ipset='omr_dscp_cs5_4' firewall.omr_dscp_rule_cs5_4.set_dscp='CS5' firewall.omr_dscp_rule_cs5_4.target='DSCP' firewall.omr_dscp_rule_cs5_4.src='' firewall.omr_dscp_rule_cs5_4.dest='' firewall.omr_dscp_cs6_4=ipset firewall.omr_dscp_cs6_4.name='omr_dscp_cs6_4' firewall.omr_dscp_cs6_4.match='dest_ip' firewall.omr_dscp_rule_cs6_4=rule firewall.omr_dscp_rule_cs6_4.name='omr_dscp_cs6_4' firewall.omr_dscp_rule_cs6_4.ipset='omr_dscp_cs6_4' firewall.omr_dscp_rule_cs6_4.set_dscp='CS6' firewall.omr_dscp_rule_cs6_4.target='DSCP' firewall.omr_dscp_rule_cs6_4.src='' firewall.omr_dscp_rule_cs6_4.dest='' firewall.omr_dscp_cs7_4=ipset firewall.omr_dscp_cs7_4.name='omr_dscp_cs7_4' firewall.omr_dscp_cs7_4.match='dest_ip' firewall.omr_dscp_rule_cs7_4=rule firewall.omr_dscp_rule_cs7_4.name='omr_dscp_cs7_4' firewall.omr_dscp_rule_cs7_4.ipset='omr_dscp_cs7_4' firewall.omr_dscp_rule_cs7_4.set_dscp='CS7' firewall.omr_dscp_rule_cs7_4.target='DSCP' firewall.omr_dscp_rule_cs7_4.src='' firewall.omr_dscp_rule_cs7_4.dest='' firewall.omr_dscp_ef_4=ipset firewall.omr_dscp_ef_4.name='omr_dscp_ef_4' firewall.omr_dscp_ef_4.match='dest_ip' firewall.omr_dscp_rule_ef_4=rule firewall.omr_dscp_rule_ef_4.name='omr_dscp_ef_4' firewall.omr_dscp_rule_ef_4.ipset='omr_dscp_ef_4' firewall.omr_dscp_rule_ef_4.set_dscp='EF' firewall.omr_dscp_rule_ef_4.target='DSCP' firewall.omr_dscp_rule_ef_4.src='' firewall.omr_dscp_rule_ef_4.dest='' firewall.omr_dscp_rule1=rule firewall.omr_dscp_rule1.name='omr_dscp_rule1' firewall.omr_dscp_rule1.target='DSCP' firewall.omr_dscp_rule1.set_dscp='CS7' firewall.omr_dscp_rule1.src='' firewall.omr_dscp_rule1.dest='' firewall.omr_dscp_rule1.src_ip='0.0.0.0/0' firewall.omr_dscp_rule1.dest_ip='0.0.0.0/0' firewall.omr_dscp_rule1.proto='icmp' firewall.omr_dscp_rule1.src_port='0-65535' firewall.omr_dscp_rule1.dest_port='0-65535' firewall.omr_dscp_rule2=rule firewall.omr_dscp_rule2.name='omr_dscp_rule2' firewall.omr_dscp_rule2.target='DSCP' firewall.omr_dscp_rule2.set_dscp='CS4' firewall.omr_dscp_rule2.src='' firewall.omr_dscp_rule2.dest='' firewall.omr_dscp_rule2.src_ip='0.0.0.0/0' firewall.omr_dscp_rule2.dest_ip='0.0.0.0/0' firewall.omr_dscp_rule2.proto='udp' firewall.omr_dscp_rule2.src_port='53' '123' '5353' firewall.omr_dscp_rule2.dest_port='0-65535' firewall.omr_dscp_rule3=rule firewall.omr_dscp_rule3.name='omr_dscp_rule3' firewall.omr_dscp_rule3.target='DSCP' firewall.omr_dscp_rule3.set_dscp='CS4' firewall.omr_dscp_rule3.src='' firewall.omr_dscp_rule3.dest='' firewall.omr_dscp_rule3.src_ip='0.0.0.0/0' firewall.omr_dscp_rule3.dest_ip='0.0.0.0/0' firewall.omr_dscp_rule3.proto='tcp' firewall.omr_dscp_rule3.src_port='53' '5353' firewall.omr_dscp_rule3.dest_port='0-65535' firewall.omr_dscp_rule4=rule firewall.omr_dscp_rule4.name='omr_dscp_rule4' firewall.omr_dscp_rule4.target='DSCP' firewall.omr_dscp_rule4.set_dscp='CS4' firewall.omr_dscp_rule4.src='' firewall.omr_dscp_rule4.dest='' firewall.omr_dscp_rule4.src_ip='0.0.0.0/0' firewall.omr_dscp_rule4.dest_ip='0.0.0.0/0' firewall.omr_dscp_rule4.proto='tcp' firewall.omr_dscp_rule4.src_port='0-65535' firewall.omr_dscp_rule4.dest_port='65500' firewall.omr_dscp_rule5=rule firewall.omr_dscp_rule5.name='omr_dscp_rule5' firewall.omr_dscp_rule5.target='DSCP' firewall.omr_dscp_rule5.set_dscp='CS7' firewall.omr_dscp_rule5.src='' firewall.omr_dscp_rule5.dest='' firewall.omr_dscp_rule5.src_ip='0.0.0.0/0' firewall.omr_dscp_rule5.dest_ip='0.0.0.0/0' firewall.omr_dscp_rule5.proto='tcp' firewall.omr_dscp_rule5.src_port='0-65535' firewall.omr_dscp_rule5.dest_port='65001' '65301' '65401' '65011' firewall.omr_dscp_rule6=rule firewall.omr_dscp_rule6.name='omr_dscp_rule6' firewall.omr_dscp_rule6.target='DSCP' firewall.omr_dscp_rule6.set_dscp='CS7' firewall.omr_dscp_rule6.src='' firewall.omr_dscp_rule6.dest='' firewall.omr_dscp_rule6.src_ip='0.0.0.0/0' firewall.omr_dscp_rule6.dest_ip='0.0.0.0/0' firewall.omr_dscp_rule6.proto='udp' firewall.omr_dscp_rule6.src_port='0-65535' firewall.omr_dscp_rule6.dest_port='65001' '65301' firewall.omr_dscp_rule7=rule firewall.omr_dscp_rule7.name='omr_dscp_rule7' firewall.omr_dscp_rule7.target='DSCP' firewall.omr_dscp_rule7.set_dscp='CS6' firewall.omr_dscp_rule7.src='' firewall.omr_dscp_rule7.dest='' firewall.omr_dscp_rule7.src_ip='0.0.0.0/0' firewall.omr_dscp_rule7.dest_ip='0.0.0.0/0' firewall.omr_dscp_rule7.proto='tcp' firewall.omr_dscp_rule7.src_port='0-65535' firewall.omr_dscp_rule7.dest_port='65101' '65228' firewall.omr_dscp_rule8=rule firewall.omr_dscp_rule8.name='omr_dscp_rule8' firewall.omr_dscp_rule8.target='DSCP' firewall.omr_dscp_rule8.set_dscp='EF' firewall.omr_dscp_rule8.src='' firewall.omr_dscp_rule8.dest='' firewall.omr_dscp_rule8.src_ip='0.0.0.0/0' firewall.omr_dscp_rule8.dest_ip='0.0.0.0/0' firewall.omr_dscp_rule8.proto='udp' firewall.omr_dscp_rule8.src_port='0-65535' firewall.omr_dscp_rule8.dest_port='3478-3479' '5060' '5062' '6250' firewall.omr_dscp_rule9=rule firewall.omr_dscp_rule9.name='omr_dscp_rule9' firewall.omr_dscp_rule9.target='DSCP' firewall.omr_dscp_rule9.set_dscp='EF' firewall.omr_dscp_rule9.src='' firewall.omr_dscp_rule9.dest='' firewall.omr_dscp_rule9.src_ip='0.0.0.0/0' firewall.omr_dscp_rule9.dest_ip='0.0.0.0/0' firewall.omr_dscp_rule9.proto='udp' firewall.omr_dscp_rule9.src_port='0-65535' firewall.omr_dscp_rule9.dest_port='1119' '1118' '1117' firewall.omr_dscp_rule10=rule firewall.omr_dscp_rule10.name='omr_dscp_rule10' firewall.omr_dscp_rule10.target='DSCP' firewall.omr_dscp_rule10.set_dscp='EF' firewall.omr_dscp_rule10.src='' firewall.omr_dscp_rule10.dest='' firewall.omr_dscp_rule10.src_ip='0.0.0.0/0' firewall.omr_dscp_rule10.dest_ip='0.0.0.0/0' firewall.omr_dscp_rule10.proto='tcp udp' firewall.omr_dscp_rule10.src_port='0-65535' firewall.omr_dscp_rule10.dest_port='5200' '5201' firewall.omr_dscp_rule11=rule firewall.omr_dscp_rule11.name='omr_dscp_rule11' firewall.omr_dscp_rule11.target='DSCP' firewall.omr_dscp_rule11.set_dscp='EF' firewall.omr_dscp_rule11.src='' firewall.omr_dscp_rule11.dest='' firewall.omr_dscp_rule11.src_ip='0.0.0.0/0' firewall.omr_dscp_rule11.dest_ip='0.0.0.0/0' firewall.omr_dscp_rule11.proto='tcp udp' firewall.omr_dscp_rule11.src_port='0-65535' firewall.omr_dscp_rule11.dest_port='5600' '5601' firewall.omr_dscp_rule12=rule firewall.omr_dscp_rule12.name='omr_dscp_rule12' firewall.omr_dscp_rule12.target='DSCP' firewall.omr_dscp_rule12.set_dscp='EF' firewall.omr_dscp_rule12.src='lan' firewall.omr_dscp_rule12.src_ip='0.0.0.0/0' firewall.omr_dscp_rule12.dest_ip='0.0.0.0/0' firewall.omr_dscp_rule12.proto='tcp udp' firewall.omr_dscp_rule12.src_port='0-65535' firewall.omr_dscp_rule12.dest_port='6000' '6001' firewall.omr_dscp_rule13=rule firewall.omr_dscp_rule13.name='omr_dscp_rule13' firewall.omr_dscp_rule13.target='DSCP' firewall.omr_dscp_rule13.set_dscp='CS1' firewall.omr_dscp_rule13.src='' firewall.omr_dscp_rule13.dest='*' firewall.omr_dscp_rule13.src_ip='0.0.0.0/0' firewall.omr_dscp_rule13.dest_ip='0.0.0.0/0' firewall.omr_dscp_rule13.proto='tcp udp' firewall.omr_dscp_rule13.src_port='0-65535' firewall.omr_dscp_rule13.dest_port='563'

root@OpenMPTCProuter:~# nft list ruleset table ip6 mangle { chain PREROUTING { type filter hook prerouting priority mangle; policy accept; }

    chain INPUT {
            type filter hook input priority mangle; policy accept;
    }

    chain FORWARD {
            type filter hook forward priority mangle; policy accept;
    }

    chain OUTPUT {
            type route hook output priority mangle; policy accept;
    }

    chain POSTROUTING {
            type filter hook postrouting priority mangle; policy accept;
    }

} table ip mangle { chain PREROUTING { type filter hook prerouting priority mangle; policy accept; }

    chain INPUT {
            type filter hook input priority mangle; policy accept;
            counter packets 37843775 bytes 40689822801 jump omr-bypass-dpi
    }

    chain FORWARD {
            type filter hook forward priority mangle; policy accept;
            counter packets 2894753 bytes 1108908929 jump omr-bypass-dpi
    }

    chain OUTPUT {
            type route hook output priority mangle; policy accept;
    }

    chain POSTROUTING {
            type filter hook postrouting priority mangle; policy accept;
    }

    chain omr-bypass-dpi {
    }

} table inet fw4 { ct helper amanda { type "amanda" protocol udp l3proto inet }

    ct helper ftp {
            type "ftp" protocol tcp
            l3proto inet
    }

    ct helper RAS {
            type "RAS" protocol udp
            l3proto inet
    }

    ct helper Q.931 {
            type "Q.931" protocol tcp
            l3proto inet
    }

    ct helper irc {
            type "irc" protocol tcp
            l3proto ip
    }

    ct helper netbios-ns {
            type "netbios-ns" protocol udp
            l3proto ip
    }

    ct helper pptp {
            type "pptp" protocol tcp
            l3proto ip
    }

    ct helper sane {
            type "sane" protocol tcp
            l3proto inet
    }

    ct helper sip {
            type "sip" protocol udp
            l3proto inet
    }

    ct helper snmp {
            type "snmp" protocol udp
            l3proto ip
    }

    ct helper tftp {
            type "tftp" protocol udp
            l3proto inet
    }

    set omr_dst_bypass_eth0_4 {
            type ipv4_addr
    }

    set omr_dst_bypass_eth0_6 {
            type ipv6_addr
    }

    set omr_dst_bypass_eth1_4 {
            type ipv4_addr
    }

    set omr_dst_bypass_eth1_6 {
            type ipv6_addr
    }

    set omr_dst_bypass_eth2_4 {
            type ipv4_addr
    }

    set omr_dst_bypass_eth2_6 {
            type ipv6_addr
    }

    set omr_dst_bypass_tun0_4 {
            type ipv4_addr
    }

    set omr_dst_bypass_tun0_6 {
            type ipv6_addr
    }

    set omr_dst_bypass_all_4 {
            type ipv4_addr
    }

    set omr_dst_bypass_all_6 {
            type ipv6_addr
    }

    set omr_dscp_cs0_4 {
            type ipv4_addr
    }

    set omr_dscp_cs1_4 {
            type ipv4_addr
            elements = { 2.21.22.106, 2.21.22.107,
                         2.21.22.113, 2.21.22.114 }
    }

    set omr_dscp_cs2_4 {
            type ipv4_addr
            elements = { 23.50.131.24, 23.50.131.29,
                         31.13.84.49, 142.250.74.202,
                         142.250.74.206, 142.250.181.234,
                         142.250.181.238, 142.250.184.202,
                         142.250.184.206, 142.250.184.234,
                         142.250.184.238, 142.250.185.74,
                         142.250.185.78, 142.250.185.101,
                         142.250.185.106, 142.250.185.110,
                         142.250.185.138, 142.250.185.142,
                         142.250.185.150, 142.250.185.170,
                         142.250.185.174, 142.250.185.196,
                         142.250.185.202, 142.250.185.206,
                         142.250.185.234, 142.250.185.238,
                         142.250.186.42, 142.250.186.46,
                         142.250.186.74, 142.250.186.78,
                         142.250.186.106, 142.250.186.110,
                         142.250.186.133, 142.250.186.138,
                         142.250.186.142, 142.250.186.170,
                         142.250.186.174, 157.240.252.60,
                         172.217.16.138, 172.217.16.202,
                         172.217.16.206, 172.217.18.10,
                         172.217.18.14, 172.217.18.106,
                         172.217.23.106, 172.217.23.110,
                         216.58.206.42, 216.58.206.46,
                         216.58.206.74, 216.58.206.78,
                         216.58.212.138, 216.58.212.170,
                         216.58.212.174, 216.239.32.223,
                         216.239.34.223, 216.239.36.223,
                         216.239.38.223 }
    }

    set omr_dscp_cs3_4 {
            type ipv4_addr
    }

    set omr_dscp_cs4_4 {
            type ipv4_addr
            elements = { 2.21.20.21, 2.21.20.23,
                         3.66.127.206, 3.69.158.196,
                         3.72.163.211, 3.120.62.62,
                         3.120.236.16, 3.121.247.13,
                         3.122.57.136, 3.123.95.173,
                         3.123.216.215, 3.124.36.78,
                         3.126.107.200, 13.36.163.113,
                         13.38.155.64, 18.184.217.151,
                         18.185.20.60, 18.185.186.149,
                         18.192.139.66, 18.194.134.112,
                         18.197.192.65, 18.203.183.124,
                         23.213.161.206, 23.213.161.222,
                         34.253.124.49, 35.181.133.4,
                         52.29.207.205, 52.222.214.23,
                         52.222.214.30, 52.222.214.43,
                         52.222.214.104, 54.76.63.236,
                         185.159.107.205 }
    }

    set omr_dscp_cs5_4 {
            type ipv4_addr
    }

    set omr_dscp_cs6_4 {
            type ipv4_addr
    }

    set omr_dscp_cs7_4 {
            type ipv4_addr
    }

    set omr_dscp_ef_4 {
            type ipv4_addr
    }

    set ss_rules_src_bypass {
            type ipv4_addr
            flags interval
            auto-merge
    }

    set ss_rules6_src_bypass {
            type ipv6_addr
            flags interval
            auto-merge
    }

    set ss_rules_src_forward {
            type ipv4_addr
            flags interval
            auto-merge
    }

    set ss_rules6_src_forward {
            type ipv6_addr
            flags interval
            auto-merge
    }

    set ss_rules_src_checkdst {
            type ipv4_addr
            flags interval
            auto-merge
    }

    set ss_rules6_src_checkdst {
            type ipv6_addr
            flags interval
            auto-merge
    }

    set ss_rules_remote_servers {
            type ipv4_addr
            flags interval
            auto-merge
            elements = { 10.255.247.1, 178.254.20.73 }
    }

    set ss_rules6_remote_servers {
            type ipv6_addr
            flags interval
            auto-merge
    }

    set ss_rules_dst_bypass {
            type ipv4_addr
            flags interval
            auto-merge
    }

    set ss_rules6_dst_bypass {
            type ipv6_addr
            flags interval
            auto-merge
    }

    set ss_rules_dst_bypass_ {
            type ipv4_addr
            flags interval
            auto-merge
            elements = { 0.0.0.0/8, 10.0.0.0/8,
                         100.64.0.0/10, 127.0.0.0/8,
                         169.254.0.0/16, 172.16.0.0/12,
                         192.0.0.0/24, 192.0.2.0/24,
                         192.31.196.0/24, 192.52.193.0/24,
                         192.88.99.0/24, 192.168.0.0/16,
                         192.175.48.0/24, 198.18.0.0/15,
                         198.51.100.0/24, 203.0.113.0/24,
                         224.0.0.0/3 }
    }

    set ss_rules6_dst_bypass_ {
            type ipv6_addr
            flags interval
            auto-merge
            elements = { ::/127,
                         ::ffff:0.0.0.0/96,
                         64:ff9b:1::/48,
                         100::/64,
                         2001::/23,
                         fc00::/7,
                         fe80::/10 }
    }

    set ss_rules_dst_forward {
            type ipv4_addr
            flags interval
            auto-merge
    }

    set ss_rules6_dst_forward {
            type ipv6_addr
            flags interval
            auto-merge
    }

    set ss_rules_dst_forward_rrst_ {
            type ipv4_addr
            flags interval
            auto-merge
    }

    set ss_rules6_dst_forward_rrst_ {
            type ipv6_addr
            flags interval
            auto-merge
    }

    chain ss_rules_pre_tcp {
            type nat hook prerouting priority filter + 1; policy accept;
            meta mark 0x00004539 accept
            ip daddr @omr_dst_bypass_all_4 accept
            meta mark 0x45391500 accept
            ip daddr @omr_dst_bypass_tun0_4 accept
            meta mark 0x00045394 accept
            ip daddr @omr_dst_bypass_eth2_4 accept
            meta mark 0x00045393 accept
            ip daddr @omr_dst_bypass_eth1_4 accept
            meta mark 0x45399999 accept
            ip daddr @omr_dst_bypass_eth0_4 accept
            meta mark 0x00004539 accept
            ip daddr @omr_dst_bypass_all_4 accept
            meta mark 0x45391500 accept
            ip daddr @omr_dst_bypass_tun0_4 accept
            meta mark 0x00045394 accept
            ip daddr @omr_dst_bypass_eth2_4 accept
            meta mark 0x00045393 accept
            ip daddr @omr_dst_bypass_eth1_4 accept
            meta mark 0x45399999 accept
            ip daddr @omr_dst_bypass_eth0_4 accept
            meta l4proto tcp goto ss_rules_pre_src_tcp
    }

    chain ss_rules_pre_src_tcp {
            ip daddr @ss_rules_dst_bypass_ accept
            ip6 daddr @ss_rules6_dst_bypass_ accept
            goto ss_rules_src_tcp
    }

    chain ss_rules_src_tcp {
            ip saddr @ss_rules_src_bypass accept
            ip saddr @ss_rules_src_forward goto ss_rules_forward_tcp
            ip saddr @ss_rules_src_checkdst goto ss_rules_dst_tcp
            ip6 saddr @ss_rules6_src_bypass accept
            ip6 saddr @ss_rules6_src_forward goto ss_rules_forward_tcp
            ip6 saddr @ss_rules6_src_checkdst goto ss_rules_dst_tcp
            goto ss_rules_forward_tcp
    }

    chain ss_rules_dst_tcp {
            ip daddr @ss_rules_dst_bypass accept
            ip daddr @ss_rules_remote_servers accept
            ip daddr @ss_rules_dst_forward goto ss_rules_forward_tcp
            ip6 daddr @ss_rules6_dst_bypass accept
            ip6 daddr @ss_rules6_remote_servers accept
            ip6 daddr @ss_rules6_dst_forward goto ss_rules_forward_tcp
            goto ss_rules_forward_tcp
    }

    chain ss_rules_forward_tcp {
            meta l4proto tcp redirect to :1100-1101
    }

    chain ss_rules_local_out {
            type nat hook output priority filter - 1; policy accept;
            meta mark 0x00004539 accept
            ip daddr @omr_dst_bypass_all_4 accept
            meta mark 0x45391500 accept
            ip daddr @omr_dst_bypass_tun0_4 accept
            meta mark 0x00045394 accept
            ip daddr @omr_dst_bypass_eth2_4 accept
            meta mark 0x00045393 accept
            ip daddr @omr_dst_bypass_eth1_4 accept
            meta mark 0x45399999 accept
            ip daddr @omr_dst_bypass_eth0_4 accept
            meta mark 0x00004539 accept
            ip daddr @omr_dst_bypass_all_4 accept
            meta mark 0x45391500 accept
            ip daddr @omr_dst_bypass_tun0_4 accept
            meta mark 0x00045394 accept
            ip daddr @omr_dst_bypass_eth2_4 accept
            meta mark 0x00045393 accept
            ip daddr @omr_dst_bypass_eth1_4 accept
            meta mark 0x45399999 accept
            ip daddr @omr_dst_bypass_eth0_4 accept
            meta l4proto != tcp accept
            ip daddr @ss_rules_remote_servers accept
            ip daddr @ss_rules_dst_bypass_ accept
            ip daddr @ss_rules_dst_bypass accept
            ip6 daddr @ss_rules6_remote_servers accept
            ip6 daddr @ss_rules6_dst_bypass_ accept
            ip6 daddr @ss_rules6_dst_bypass accept
            goto ss_rules_forward_tcp
    }

    chain input {
            type filter hook input priority filter; policy drop;
            iif "lo" accept comment "!fw4: Accept traffic from loopback"
            ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
            tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
            iifname "eth0" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
            iifname { "eth1", "eth2" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
            iifname "tun0" jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
            jump handle_reject
    }

    chain forward {
            type filter hook forward priority filter; policy drop;
            ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
            icmp type echo-request limit rate 1000/second counter packets 115 bytes 3610 accept comment "!fw4: Allow-All-Ping"
            icmpv6 type echo-request limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
            iifname "eth0" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
            iifname { "eth1", "eth2" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
            iifname "tun0" jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
            jump upnp_forward comment "Hook into miniupnpd forwarding chain"
            jump handle_reject
    }

    chain output {
            type filter hook output priority filter; policy drop;
            oif "lo" accept comment "!fw4: Accept traffic towards loopback"
            ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
            oifname "eth0" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
            oifname { "eth1", "eth2" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
            oifname "tun0" jump output_vpn comment "!fw4: Handle vpn IPv4/IPv6 output traffic"
            jump handle_reject
    }

    chain prerouting {
            type filter hook prerouting priority filter; policy accept;
            icmp type echo-request limit rate 1000/second counter packets 2144 bytes 95781 accept comment "!fw4: Allow-All-Ping"
            icmpv6 type echo-request limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
            counter packets 2762999 bytes 2023640160 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
            counter packets 2762999 bytes 2023640160 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
            jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
            jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
            iifname "eth0" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
            icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 356 bytes 88568 accept comment "!fw4: Allow-ICMPv6-Forward"
            icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
            meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
            udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
    }

    chain handle_reject {
            meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
            reject comment "!fw4: Reject any other traffic"
    }

    chain syn_flood {
            limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
            drop comment "!fw4: Drop excess packets"
    }

    chain input_lan {
            icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 6 bytes 1096 accept comment "!fw4: ICMPv6-Lan-to-OMR"
            ct status dnat accept comment "!fw4: Accept port redirections"
            jump accept_from_lan
    }

    chain output_lan {
            jump accept_to_lan
    }

    chain forward_lan {
            counter packets 2566 bytes 562161 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
            counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
            jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
            jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
            ct status dnat accept comment "!fw4: Accept port forwards"
            jump accept_to_lan
    }

    chain helper_lan {
            udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
            tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
            udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
            tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
            meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
            meta nfproto ipv4 udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
            meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
            tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
            udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
            meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
            udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
    }

    chain accept_from_lan {
            iifname "eth0" counter packets 1570 bytes 135794 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
    }

    chain accept_to_lan {
            oifname "eth0" counter packets 445 bytes 87044 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
    }

    chain input_wan {
            meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
            icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
            meta nfproto ipv4 meta l4proto igmp counter packets 152 bytes 5472 accept comment "!fw4: Allow-IGMP"
            meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
            ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
            icmpv6 type { nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow IPv6 ICMP"
            icmpv6 type . icmpv6 code { nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow IPv6 ICMP"
            meta nfproto ipv6 udp sport 546 udp dport 547 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (546-to-547)"
            meta nfproto ipv6 udp sport 547 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (547-to-546)"
            ct status dnat accept comment "!fw4: Accept port redirections"
            jump reject_from_wan
    }

    chain output_wan {
            jump accept_to_wan
    }

    chain forward_wan {
            icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
            icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
            meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
            udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
            ct status dnat accept comment "!fw4: Accept port forwards"
            jump reject_to_wan
    }

    chain accept_to_wan {
            meta nfproto ipv4 oifname { "eth1", "eth2" } ct state invalid counter packets 11 bytes 704 drop comment "!fw4: Prevent NAT leakage"
            oifname { "eth1", "eth2" } counter packets 8685 bytes 643728 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
    }

    chain reject_from_wan {
            iifname { "eth1", "eth2" } counter packets 135 bytes 10326 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
    }

    chain reject_to_wan {
            oifname { "eth1", "eth2" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
    }

    chain input_vpn {
            meta l4proto { icmp, ipv6-icmp } counter packets 164 bytes 13776 accept comment "!fw4: Allow-VPN-ICMP"
            ct status dnat accept comment "!fw4: Accept port redirections"
            jump reject_from_vpn
    }

    chain output_vpn {
            jump accept_to_vpn
    }

    chain forward_vpn {
            ct status dnat accept comment "!fw4: Accept port forwards"
            jump accept_to_vpn
    }

    chain accept_to_vpn {
            meta nfproto ipv4 oifname "tun0" ct state invalid counter packets 186 bytes 7476 drop comment "!fw4: Prevent NAT leakage"
            oifname "tun0" counter packets 5156 bytes 766937 accept comment "!fw4: accept vpn IPv4/IPv6 traffic"
    }

    chain reject_from_vpn {
            iifname "tun0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic"
    }

    chain dstnat {
            type nat hook prerouting priority dstnat; policy accept;
            iifname "eth0" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
            iifname "tun0" jump dstnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 dstnat traffic"
            jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
    }

    chain srcnat {
            type nat hook postrouting priority srcnat; policy accept;
            oifname "eth0" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
            oifname { "eth1", "eth2" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
            oifname "tun0" jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic"
            jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
    }

    chain dstnat_lan {
    }

    chain srcnat_lan {
    }

    chain srcnat_wan {
            meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
    }

    chain dstnat_vpn {
            meta nfproto ipv4 tcp dport 0-64999 counter packets 975 bytes 50332 dnat ip to 192.168.100.2:0-64999 comment "!fw4: Alle"
            meta nfproto ipv4 udp dport 0-64999 counter packets 13 bytes 1136 dnat ip to 192.168.100.2:0-64999 comment "!fw4: Alle"
    }

    chain srcnat_vpn {
            meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 vpn traffic"
    }

    chain raw_prerouting {
            type filter hook prerouting priority raw; policy accept;
    }

    chain raw_output {
            type filter hook output priority raw; policy accept;
    }

    chain mangle_prerouting {
            type filter hook prerouting priority mangle; policy accept;
    }

    chain mangle_postrouting {
            type filter hook postrouting priority mangle; policy accept;
            oifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 egress MTU fixing"
            oifname { "eth1", "eth2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
            oifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing"
    }

    chain mangle_input {
            type filter hook input priority mangle; policy accept;
            iifname "eth0" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 6000, 6001 } counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_rule12"
            iifname "eth0" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport { 6000, 6001 } counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_rule12"
    }

    chain mangle_output {
            type route hook output priority mangle; policy accept;
    }

    chain mangle_forward {
            type filter hook forward priority mangle; policy accept;
            meta l4proto tcp ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
            meta l4proto udp ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
            meta l4proto tcp ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
            meta l4proto udp ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
            meta l4proto tcp ip daddr @omr_dscp_cs2_4 counter packets 1 bytes 52 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
            meta l4proto udp ip daddr @omr_dscp_cs2_4 counter packets 645 bytes 392152 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
            meta l4proto tcp ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
            meta l4proto udp ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
            meta l4proto tcp ip daddr @omr_dscp_cs4_4 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
            meta l4proto udp ip daddr @omr_dscp_cs4_4 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
            meta l4proto tcp ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
            meta l4proto udp ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
            meta l4proto tcp ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
            meta l4proto udp ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
            meta l4proto tcp ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
            meta l4proto udp ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
            meta l4proto tcp ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
            meta l4proto udp ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
            meta l4proto icmp ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 1846 bytes 108661 ip dscp set cs7 comment "!fw4: omr_dscp_rule1"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport { 53, 123, 5353 } udp dport 0-65535 counter packets 1407 bytes 211192 ip dscp set cs4 comment "!fw4: omr_dscp_rule2"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport { 53, 5353 } tcp dport 0-65535 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule3"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport 65500 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule4"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65001, 65011, 65301, 65401 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule5"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport { 65001, 65301 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule6"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65101, 65228 } counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_rule7"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport { 3478-3479, 5060, 5062, 6250 } counter packets 1779 bytes 384740 ip dscp set ef comment "!fw4: omr_dscp_rule8"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport { 1117, 1118, 1119 } counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_rule9"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 5200, 5201 } counter packets 3 bytes 152 ip dscp set ef comment "!fw4: omr_dscp_rule10"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport { 5200, 5201 } counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_rule10"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 5600, 5601 } counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_rule11"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport { 5600, 5601 } counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_rule11"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport 563 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_rule13"
            ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport 563 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_rule13"
            iifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 ingress MTU fixing"
            iifname { "eth1", "eth2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
            iifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 ingress MTU fixing"
    }

    chain upnp_forward {
    }

    chain upnp_prerouting {
    }

    chain upnp_postrouting {
    }

}