Gufw

mangle table and DSCP

Asked by Davidiam

Hello
some help pls
If I do this
>sudo iptables -A POSTROUTING -t mangle -p udp --dport 4500 -j DSCP --set-dscp 0x2e
I get this

> sudo iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
DSCP udp -- anywhere anywhere udp dpt:4500 DSCP set 0x2e

But how can I do it with ufw, allready try adding the folling lines but it did not work.

>sudo nano /usr/share/ufw/before.rules
*mangle
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p udp --sport 4500 -j DSCP --set-dscp 0x2e
-A POSTROUTING -p udp --dport 4500 -j DSCP --set-dscp 0x2e
COMMIT

>sudo ufw stop
>sudo ufw start

Question information

Language:
English Edit question
Status:
Answered
For:
Gufw Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
costales (costales) said : 		#1

Hi! This is a question for ufw package ;)
Best regards.

Revision history for this message
Jamie Strandboge (jdstrand) said : 		#2

Your addition to before.rules looks correct (assuming that the *filter section is still intact, with its own COMMIT line). Adding the above and doing:
$ sudo ufw disable
$ sudo ufw enable

works just fine (ie 'iptables -L -n -t mangle' show the new rule).

Revision history for this message
Davidiam (hectorjerezano) said : 		#3

Although if I restart ufw it creates another 2 rules same as the conf
file , so every time I restart it actually clones the rules, I think
some where I should be telling ufw to flush that table like so =
iptables -F -t mangle, but where?

 Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
DSCP udp -- 0.0.0.0/0 0.0.0.0/0 udp
spt:4500 DSCP set 0x2e
DSCP udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpt:4500 DSCP set 0x2e
DSCP udp -- 0.0.0.0/0 0.0.0.0/0 udp
spt:4500 DSCP set 0x2e
DSCP udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpt:4500 DSCP set 0x2e
DSCP udp -- 0.0.0.0/0 0.0.0.0/0 udp
spt:4500 DSCP set 0x2e
DSCP udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpt:4500 DSCP set 0x2e

El lun, 15-12-2008 a las 20:46 +0000, Jamie Strandboge escribió:

> Your question #54113 on Gufw changed:
> https://answers.launchpad.net/gui-ufw/+question/54113
>
> Jamie Strandboge proposed the following answer:
> Your addition to before.rules looks correct (assuming that the *filter section is still intact, with its own COMMIT line). Adding the above and doing:
> $ sudo ufw disable
> $ sudo ufw enable
>
> works just fine (ie 'iptables -L -n -t mangle' show the new rule).
>

Revision history for this message
Jamie Strandboge (jdstrand) said : 		#4

The rules aren't cloned, the table just isn't flushed each time you run disable and enable. This is a current limitation of ufw. As a workaround, use iptables directly to flush the mangle table. I will probably provide a way to do this from within ufw in a future release.

Can you help with this problem?

Provide an answer of your own, or ask Davidiam for more information if necessary.

To post a message you must log in.