OMR-Bypass doesn't work for subdomains (or only works for top-level domains) #3693

Schinkentanz · 2024-12-01T11:29:38Z

Expected Behavior

When using OMR-Bypass with netflix enabled in "Protocols and services" or nflxvideo.net configured as a domain in "Domains", the bypass should work not only for the top-level domain, but also for any subdomain (e.g. random.sub.domain.name.nflxvideo.net).

Note

Netflix is just an example, it's the same for any other subdomain.
It also doesn't work, if only one bypass option is used.

Current Behavior

When running traceroute nflxvideo.net on a device where the MPTCP router is configured as the DNS server, the request is correctly routed through the configured master interface:

❯ traceroute nflxvideo.net
traceroute: Warning: nflxvideo.net has multiple addresses; using 107.20.175.192
traceroute to nflxvideo.net (107.20.175.192), 64 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  6.355 ms  3.000 ms  2.871 ms
 2  openmptcprouter.lan (192.168.42.1)  3.322 ms  3.011 ms  3.210 ms
 3  192.168.178.1 (192.168.178.1)  6.758 ms  5.734 ms  5.293 ms
.... <redacted>

When running traceroute ipv4-c088-ord001-dev-ix.1.oca.nflxvideo.net on the same device, the request will not be routed through the configured master interface, but will use the VPS:

❯ traceroute ipv4-c088-ord001-dev-ix.1.oca.nflxvideo.net
traceroute to ipv4-c088-ord001-dev-ix.1.oca.nflxvideo.net (198.38.109.219), 64 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  6.151 ms  3.118 ms  2.984 ms
 2  openmptcprouter.lan (192.168.42.1)  3.307 ms  3.451 ms  4.952 ms
 3  10.255.252.1 (10.255.252.1)  18.369 ms  17.544 ms  17.893 ms
.... <redacted>

Steps to Reproduce the Problem

Note

Tested at time of issue creation

Install the latest snapshot on a fresh VPS (as described in Wiki)
Install the latest snapshot squashfs image for RPI5 on an empty SD card
Setup router in a minimal way
1. Add server IP & key
2. Add 2 WAN interfaces
3. Setup OMR-Bypass as described above
4. Use traceroute on any connected client

Specifications

OpenMPTCProuter version: openmptcprouter-v0.62-snapshot-6.6-r0+28016-48028cd102-bcm27xx-bcm2712-rpi-5-squashfs-factory
OpenMPTCProuter VPS version: 0.1032-test 6.6.36-x64v2-xanmod1
OpenMPTCProuter platform: RPI5

The text was updated successfully, but these errors were encountered:

Ysurac · 2024-12-02T09:15:19Z

Are you sure you are using only OpenMPTCProuter IP address as DNS ?

Schinkentanz · 2024-12-02T13:25:16Z

Yes, the IP address of the OpenMPTCProuter is the only configured DNS server:

❯ scutil --dns | grep nameserver
  nameserver[0] : 192.168.42.1

❯ dig +noall +stats ipv4-c088-ord001-dev-ix.1.oca.nflxvideo.net
;; Query time: 27 msec
;; SERVER: 192.168.42.1#53(192.168.42.1)
;; WHEN: Mon Dec 02 14:23:50 CET 2024
;; MSG SIZE  rcvd: 88

❯ dig +noall +stats nflxvideo.net
;; Query time: 56 msec
;; SERVER: 192.168.42.1#53(192.168.42.1)
;; WHEN: Mon Dec 02 14:23:54 CET 2024
;; MSG SIZE  rcvd: 90

Ysurac · 2024-12-03T16:13:20Z

What is the result of /etc/init.d/omr-bypass restart and /etc/init.d/firewall restart via SSH on the router ?
I would also need the result of nft list ruleset

Schinkentanz · 2024-12-03T19:07:49Z

Sure, thanks for taking a closer look!

root@OpenMPTCProuter:~# /etc/init.d/omr-bypass restart
root@OpenMPTCProuter:~#

root@OpenMPTCProuter:~# /etc/init.d/firewall restart
Section omr_dst_bypass_eth0_dstip_4 (omr_dst_bypass_eth0_rule) is disabled, ignoring section
Section omr_dst_bypass_eth0_dstip_4_accept (omr_dst_bypass_eth0_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_eth0_srcip_4 (omr_dst_bypass_eth0_srcip) is disabled, ignoring section
Section omr_dst_bypass_eth0_mac_4 (omr_dst_bypass_eth0_mac) is disabled, ignoring section
Section omr_dst_bypass_eth0_srcport_tcp_4 (omr_dst_bypass_eth0_srcport_tcp) is disabled, ignoring section
Section omr_dst_bypass_eth0_srcport_udp_4 (omr_dst_bypass_eth0_srcport_udp) is disabled, ignoring section
Section omr_dst_bypass_eth0_dstport_tcp_4 (omr_dst_bypass_eth0_dstport_tcp) is disabled, ignoring section
Section omr_dst_bypass_eth0_dstport_udp_4 (omr_dst_bypass_eth0_dstport_udp) is disabled, ignoring section
Section omr_dst_bypass_wan1_dstip_4 (omr_dst_bypass_wan1_rule) is disabled, ignoring section
Section omr_dst_bypass_wan1_dstip_4_accept (omr_dst_bypass_wan1_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_wan1_srcip_4 (omr_dst_bypass_wan1_srcip) is disabled, ignoring section
Section omr_dst_bypass_wan1_mac_4 (omr_dst_bypass_wan1_mac) is disabled, ignoring section
Section omr_dst_bypass_wan1_srcport_tcp_4 (omr_dst_bypass_wan1_srcport_tcp) is disabled, ignoring section
Section omr_dst_bypass_wan1_srcport_udp_4 (omr_dst_bypass_wan1_srcport_udp) is disabled, ignoring section
Section omr_dst_bypass_wan1_dstport_tcp_4 (omr_dst_bypass_wan1_dstport_tcp) is disabled, ignoring section
Section omr_dst_bypass_wan1_dstport_udp_4 (omr_dst_bypass_wan1_dstport_udp) is disabled, ignoring section
Section omr_dst_bypass_wan2_dstip_4 (omr_dst_bypass_wan2_rule) is disabled, ignoring section
Section omr_dst_bypass_wan2_dstip_4_accept (omr_dst_bypass_wan2_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_wan2_srcip_4 (omr_dst_bypass_wan2_srcip) is disabled, ignoring section
Section omr_dst_bypass_wan2_mac_4 (omr_dst_bypass_wan2_mac) is disabled, ignoring section
Section omr_dst_bypass_wan2_srcport_tcp_4 (omr_dst_bypass_wan2_srcport_tcp) is disabled, ignoring section
Section omr_dst_bypass_wan2_srcport_udp_4 (omr_dst_bypass_wan2_srcport_udp) is disabled, ignoring section
Section omr_dst_bypass_wan2_dstport_tcp_4 (omr_dst_bypass_wan2_dstport_tcp) is disabled, ignoring section
Section omr_dst_bypass_wan2_dstport_udp_4 (omr_dst_bypass_wan2_dstport_udp) is disabled, ignoring section
Section omr_dst_bypass_tun0_dstip_4 (omr_dst_bypass_tun0_rule) is disabled, ignoring section
Section omr_dst_bypass_tun0_dstip_4_accept (omr_dst_bypass_tun0_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_tun0_srcip_4 (omr_dst_bypass_tun0_srcip) is disabled, ignoring section
Section omr_dst_bypass_tun0_mac_4 (omr_dst_bypass_tun0_mac) is disabled, ignoring section
Section omr_dst_bypass_tun0_srcport_tcp_4 (omr_dst_bypass_tun0_srcport_tcp) is disabled, ignoring section
Section omr_dst_bypass_tun0_srcport_udp_4 (omr_dst_bypass_tun0_srcport_udp) is disabled, ignoring section
Section omr_dst_bypass_tun0_dstport_tcp_4 (omr_dst_bypass_tun0_dstport_tcp) is disabled, ignoring section
Section omr_dst_bypass_tun0_dstport_udp_4 (omr_dst_bypass_tun0_dstport_udp) is disabled, ignoring section
Section omr_dst_bypass_all_srcip_4 (omr_dst_bypass_all_srcip) is disabled, ignoring section
Section omr_dst_bypass_all_mac_4 (omr_dst_bypass_all_mac) is disabled, ignoring section
Section omr_dst_bypass_all_srcport_tcp_4 (omr_dst_bypass_all_srcport_tcp) is disabled, ignoring section
Section omr_dst_bypass_all_srcport_udp_4 (omr_dst_bypass_all_srcport_udp) is disabled, ignoring section
Section omr_dst_bypass_all_dstport_tcp_4 (omr_dst_bypass_all_dstport_tcp) is disabled, ignoring section
Section omr_dst_bypass_all_dstport_udp_4 (omr_dst_bypass_all_dstport_udp) is disabled, ignoring section
Section user specifies unreachable path '/etc/firewall.user', ignoring section
Section omr_bypass option 'reload' is not supported by fw4
Automatically including '/usr/share/nftables.d/table-post/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/dstnat/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/forward/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/srcnat/20-miniupnpd.nft'
root@OpenMPTCProuter:~#

root@OpenMPTCProuter:~# nft list ruleset
table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain INPUT {
		type filter hook input priority mangle; policy accept;
		counter packets 10115 bytes 10363839 jump omr-bypass-dpi
	}

	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
		counter packets 278 bytes 101655 jump omr-bypass-dpi
	}

	chain OUTPUT {
		type route hook output priority mangle; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain omr-bypass-dpi {
	}
}
table inet fw4 {
	ct helper amanda {
		type "amanda" protocol udp
		l3proto inet
	}

	ct helper ftp {
		type "ftp" protocol tcp
		l3proto inet
	}

	ct helper RAS {
		type "RAS" protocol udp
		l3proto inet
	}

	ct helper Q.931 {
		type "Q.931" protocol tcp
		l3proto inet
	}

	ct helper irc {
		type "irc" protocol tcp
		l3proto ip
	}

	ct helper netbios-ns {
		type "netbios-ns" protocol udp
		l3proto ip
	}

	ct helper pptp {
		type "pptp" protocol tcp
		l3proto ip
	}

	ct helper sane {
		type "sane" protocol tcp
		l3proto inet
	}

	ct helper sip {
		type "sip" protocol udp
		l3proto inet
	}

	ct helper snmp {
		type "snmp" protocol udp
		l3proto ip
	}

	ct helper tftp {
		type "tftp" protocol udp
		l3proto inet
	}

	set bypass_netflix {
		type ipv4_addr
		elements = { 23.246.0.0, 37.77.184.0,
			     45.57.0.0, 64.120.128.0,
			     66.197.128.0, 69.53.224.0,
			     108.175.32.0, 185.2.220.0,
			     185.9.188.0, 192.173.64.0,
			     198.38.96.0, 198.45.48.0,
			     207.45.72.0, 208.75.76.0 }
	}

	set bypass6_netflix {
		type ipv6_addr
	}

	set omr_dscp_cs0_4 {
		type ipv4_addr
	}

	set omr_dscp_cs1_4 {
		type ipv4_addr
	}

	set omr_dscp_cs2_4 {
		type ipv4_addr
		elements = { 74.125.206.188, 142.251.36.238 }
	}

	set omr_dscp_cs3_4 {
		type ipv4_addr
	}

	set omr_dscp_cs4_4 {
		type ipv4_addr
	}

	set omr_dscp_cs5_4 {
		type ipv4_addr
	}

	set omr_dscp_cs6_4 {
		type ipv4_addr
	}

	set omr_dscp_cs7_4 {
		type ipv4_addr
	}

	set omr_dscp_ef_4 {
		type ipv4_addr
	}

	set omr_dst_bypass_eth0_4 {
		type ipv4_addr
	}

	set omr_dst_bypass_eth0_6 {
		type ipv6_addr
	}

	set omr_dst_bypass_wan1_4 {
		type ipv4_addr
	}

	set omr_dst_bypass_wan1_6 {
		type ipv6_addr
	}

	set omr_dst_bypass_wan2_4 {
		type ipv4_addr
	}

	set omr_dst_bypass_wan2_6 {
		type ipv6_addr
	}

	set omr_dst_bypass_tun0_4 {
		type ipv4_addr
	}

	set omr_dst_bypass_tun0_6 {
		type ipv6_addr
	}

	set omr_dst_bypass_all_4 {
		type ipv4_addr
		elements = { 3.251.50.149, 18.236.7.30,
			     23.218.165.59, 34.160.111.145,
			     34.252.74.1, 54.74.73.31,
			     54.155.178.5, 107.20.175.192,
			     207.45.72.215 }
	}

	set omr_dst_bypass_all_6 {
		type ipv6_addr
	}

	set ss_rules_src_bypass {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_bypass {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_src_forward {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_forward {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_src_checkdst {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_checkdst {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_remote_servers {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { <redacted - vps ip> }
	}

	set ss_rules6_remote_servers {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_bypass {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_bypass {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_bypass_ {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 0.0.0.0/8, 10.0.0.0/8,
			     100.64.0.0/10, 127.0.0.0/8,
			     169.254.0.0/16, 172.16.0.0/12,
			     192.0.0.0/24, 192.0.2.0/24,
			     192.31.196.0/24, 192.52.193.0/24,
			     192.88.99.0/24, 192.168.0.0/16,
			     192.175.48.0/24, 198.18.0.0/15,
			     198.51.100.0/24, 203.0.113.0/24,
			     224.0.0.0/3 }
	}

	set ss_rules6_dst_bypass_ {
		type ipv6_addr
		flags interval
		auto-merge
		elements = { ::/127,
			     ::ffff:0.0.0.0/96,
			     64:ff9b:1::/48,
			     100::/64,
			     2001::/23,
			     fc00::/7,
			     fe80::/10 }
	}

	set ss_rules_dst_forward {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_forward {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_forward_rrst_ {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_forward_rrst_ {
		type ipv6_addr
		flags interval
		auto-merge
	}

	chain ss_rules_pre_tcp {
		type nat hook prerouting priority filter + 1; policy accept;
		meta mark 0x00004539 accept
		ip daddr @omr_dst_bypass_all_4 accept
		meta mark 0x45391500 accept
		ip daddr @omr_dst_bypass_tun0_4 accept
		meta mark 0x00045397 accept
		ip daddr @omr_dst_bypass_wan2_4 accept
		meta mark 0x00045396 accept
		ip daddr @omr_dst_bypass_wan1_4 accept
		meta mark 0x45399999 accept
		ip daddr @omr_dst_bypass_eth0_4 accept
		meta l4proto tcp iifname { "lo", "eth0" } goto ss_rules_pre_src_tcp
	}

	chain ss_rules_pre_src_tcp {
		ip daddr @ss_rules_dst_bypass_ accept
		ip6 daddr @ss_rules6_dst_bypass_ accept
		goto ss_rules_src_tcp
	}

	chain ss_rules_src_tcp {
		ip saddr @ss_rules_src_bypass accept
		ip saddr @ss_rules_src_forward goto ss_rules_forward_tcp
		ip saddr @ss_rules_src_checkdst goto ss_rules_dst_tcp
		ip6 saddr @ss_rules6_src_bypass accept
		ip6 saddr @ss_rules6_src_forward goto ss_rules_forward_tcp
		ip6 saddr @ss_rules6_src_checkdst goto ss_rules_dst_tcp
		goto ss_rules_forward_tcp
	}

	chain ss_rules_dst_tcp {
		ip daddr @ss_rules_dst_bypass accept
		ip daddr @ss_rules_remote_servers accept
		ip daddr @ss_rules_dst_forward goto ss_rules_forward_tcp
		ip6 daddr @ss_rules6_dst_bypass accept
		ip6 daddr @ss_rules6_remote_servers accept
		ip6 daddr @ss_rules6_dst_forward goto ss_rules_forward_tcp
		goto ss_rules_forward_tcp
	}

	chain ss_rules_forward_tcp {
		meta l4proto tcp redirect to :1100
	}

	chain ss_rules_local_out {
		type nat hook output priority filter - 1; policy accept;
		meta mark 0x00004539 accept
		ip daddr @omr_dst_bypass_all_4 accept
		meta mark 0x45391500 accept
		ip daddr @omr_dst_bypass_tun0_4 accept
		meta mark 0x00045397 accept
		ip daddr @omr_dst_bypass_wan2_4 accept
		meta mark 0x00045396 accept
		ip daddr @omr_dst_bypass_wan1_4 accept
		meta mark 0x45399999 accept
		ip daddr @omr_dst_bypass_eth0_4 accept
		meta l4proto != tcp accept
		ip daddr @ss_rules_remote_servers accept
		ip daddr @ss_rules_dst_bypass_ accept
		ip daddr @ss_rules_dst_bypass accept
		ip6 daddr @ss_rules6_remote_servers accept
		ip6 daddr @ss_rules6_dst_bypass_ accept
		ip6 daddr @ss_rules6_dst_bypass accept
		goto ss_rules_forward_tcp
	}

	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "eth0" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname { "wan1", "wan2" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		iifname "tun0" jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
		jump handle_reject
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
		icmp type echo-request limit rate 1000/second counter packets 11 bytes 15048 accept comment "!fw4: Allow-All-Ping"
		icmpv6 type echo-request limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
		udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC All"
		iifname "eth0" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname { "wan1", "wan2" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		iifname "tun0" jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
		jump upnp_forward comment "Hook into miniupnpd forwarding chain"
		jump handle_reject
	}

	chain output {
		type filter hook output priority filter; policy drop;
		oif "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
		meta nfproto ipv4 meta mark 0x00004539 counter packets 0 bytes 0 accept comment "!fw4: omr_dst_bypass_all_rule_accept"
		oifname "eth0" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
		oifname { "wan1", "wan2" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
		oifname "tun0" jump output_vpn comment "!fw4: Handle vpn IPv4/IPv6 output traffic"
		jump handle_reject
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		icmp type echo-request limit rate 1000/second counter packets 21 bytes 19740 accept comment "!fw4: Allow-All-Ping"
		icmpv6 type echo-request limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
		udp dport 443 counter packets 12 bytes 15356 drop comment "!fw4: Block QUIC All"
		counter packets 7483 bytes 7922806 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
		counter packets 7483 bytes 7922806 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
		iifname "eth0" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 1 bytes 216 accept comment "!fw4: ICMPv6-Lan-to-OMR"
		udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC Proxy"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump accept_from_lan
	}

	chain output_lan {
		jump accept_to_lan
	}

	chain forward_lan {
		counter packets 44 bytes 2331 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
		counter packets 13 bytes 520 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_lan
	}

	chain helper_lan {
		udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
		tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
		udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
		tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
		meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
		meta nfproto ipv4 udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
		meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
		tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
		udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
		meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
		udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
	}

	chain accept_from_lan {
		iifname "eth0" counter packets 33 bytes 2263 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain accept_to_lan {
		oifname "eth0" counter packets 0 bytes 0 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
		meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 2 bytes 432 accept comment "!fw4: Allow IPv6 ICMP"
		icmpv6 type . icmpv6 code { nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow IPv6 ICMP"
		meta nfproto ipv6 udp sport 546 udp dport 547 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (546-to-547)"
		meta nfproto ipv6 udp sport 547 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (547-to-546)"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump reject_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump reject_to_wan
	}

	chain accept_to_wan {
		meta nfproto ipv4 oifname { "wan1", "wan2" } ct state invalid counter packets 1 bytes 64 drop comment "!fw4: Prevent NAT leakage"
		oifname { "wan1", "wan2" } counter packets 96 bytes 19112 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain reject_from_wan {
		iifname { "wan1", "wan2" } counter packets 2 bytes 278 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain reject_to_wan {
		oifname { "wan1", "wan2" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain input_vpn {
		meta l4proto { icmp, ipv6-icmp } counter packets 0 bytes 0 accept comment "!fw4: Allow-VPN-ICMP"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump reject_from_vpn
	}

	chain output_vpn {
		jump accept_to_vpn
	}

	chain forward_vpn {
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_vpn
	}

	chain accept_to_vpn {
		meta nfproto ipv4 oifname "tun0" ct state invalid counter packets 8 bytes 519 drop comment "!fw4: Prevent NAT leakage"
		oifname "tun0" counter packets 96 bytes 6885 accept comment "!fw4: accept vpn IPv4/IPv6 traffic"
	}

	chain reject_from_vpn {
		iifname "tun0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic"
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname { "wan1", "wan2" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
		oifname "tun0" jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic"
		jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
	}

	chain srcnat_wan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
	}

	chain srcnat_vpn {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 vpn traffic"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
		iifname "eth0" ip daddr @bypass_netflix counter packets 0 bytes 0 meta mark set 0x00004539 comment "!fw4: bypass_"
		iifname "eth0" ip6 daddr @bypass6_netflix counter packets 0 bytes 0 meta mark set 0x00006539 comment "!fw4: bypass6_"
		iifname "eth0" ip daddr @omr_dst_bypass_all_4 counter packets 16 bytes 640 meta mark set 0x00004539 comment "!fw4: omr_dst_bypass_all_rule"
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
		oifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 egress MTU fixing"
		oifname { "wan1", "wan2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
		oifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing"
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		meta l4proto tcp ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
		meta l4proto udp ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
		meta l4proto tcp ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
		meta l4proto udp ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
		meta l4proto tcp ip daddr @omr_dscp_cs2_4 counter packets 0 bytes 0 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
		meta l4proto udp ip daddr @omr_dscp_cs2_4 counter packets 0 bytes 0 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
		meta l4proto tcp ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
		meta l4proto udp ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
		meta l4proto tcp ip daddr @omr_dscp_cs4_4 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
		meta l4proto udp ip daddr @omr_dscp_cs4_4 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
		meta l4proto tcp ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
		meta l4proto udp ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
		meta l4proto tcp ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
		meta l4proto udp ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
		meta l4proto tcp ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
		meta l4proto udp ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
		meta l4proto tcp ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
		meta l4proto udp ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
		meta l4proto icmp ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 43 bytes 26256 ip dscp set cs7 comment "!fw4: omr_dscp_rule1"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport { 53, 123, 5353 } udp dport 0-65535 counter packets 12 bytes 912 ip dscp set cs4 comment "!fw4: omr_dscp_rule2"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport { 53, 5353 } tcp dport 0-65535 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule3"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport 65500 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule4"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65001, 65011, 65301, 65401 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule5"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport { 65001, 65301 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule6"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65101, 65228 } counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_rule7"
		iifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 ingress MTU fixing"
		iifname { "wan1", "wan2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
		iifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 ingress MTU fixing"
	}

	chain upnp_forward {
	}

	chain upnp_prerouting {
	}

	chain upnp_postrouting {
	}
}
root@OpenMPTCProuter:~#

Ysurac · 2024-12-05T08:08:09Z

Can you try latest snapshots ? I fixed some issues.

Schinkentanz · 2024-12-07T13:15:42Z

Thanks for the update @Ysurac. I've tried the latest snapshot and it fixes the initial problem, but when adding the amazon_aws or whatsapp services, the routing for netflix no longer works (the configured domains are still routed correctly (e.g. ifconfig.me)). I've also installed Pi-Hole, but the behaviour is the same with or without it. If I remove these services, the routing works correctly again.

❯ ✅ traceroute nflxvideo.net
 1  192.168.0.1 (192.168.0.1)  14.499 ms  3.236 ms  3.097 ms
 2  openmptcprouter.lan (192.168.42.1)  3.622 ms  3.193 ms  3.210 ms
 3  192.168.178.1 (192.168.178.1)  6.173 ms  4.882 ms  7.659 ms
.... <redacted>

❯ ❌ traceroute ipv4-c088-ord001-dev-ix.1.oca.nflxvideo.net
 1  192.168.0.1 (192.168.0.1)  5.764 ms  3.356 ms  2.895 ms
 2  openmptcprouter.lan (192.168.42.1)  4.613 ms  3.508 ms  3.238 ms
 3  10.255.252.1 (10.255.252.1)  19.042 ms  18.521 ms  18.231 ms

❯ ✅ traceroute ifconfig.me
 1  192.168.0.1 (192.168.0.1)  17.401 ms  5.172 ms  2.744 ms
 2  openmptcprouter.lan (192.168.42.1)  3.666 ms  3.492 ms  3.403 ms
 3  192.168.178.1 (192.168.178.1)  6.686 ms  5.141 ms  5.029 ms

❯ ✅ traceroute random.subdomain.ifconfig.me
traceroute to random.subdomain.ifconfig.me (34.160.111.145), 64 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  5.068 ms  3.177 ms  3.054 ms
 2  openmptcprouter.lan (192.168.42.1)  3.916 ms  3.745 ms  3.351 ms
 3  192.168.178.1 (192.168.178.1)  5.865 ms  10.092 ms  11.031 ms

❯ ✅ traceroute email-smtp.eu-west-1.amazonaws.com
 1  192.168.0.1 (192.168.0.1)  95.632 ms  3.041 ms  3.114 ms
 2  openmptcprouter.lan (192.168.42.1)  3.851 ms  3.352 ms  3.226 ms
 3  192.168.178.1 (192.168.178.1)  5.643 ms  6.034 ms  5.265 ms

Note

The output for nft list ruleset also includes rules for whatsapp, even though I've completely removed the service.
The configured domains are:

ifconfig.me

The configured services are:

netflix
amazon_aws

Click here to see output of "nft list ruleset"

table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain INPUT {
		type filter hook input priority mangle; policy accept;
		counter packets 15418 bytes 2577720 jump omr-bypass-dpi
	}

	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
		counter packets 1273 bytes 222381 jump omr-bypass-dpi
	}

	chain OUTPUT {
		type route hook output priority mangle; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain omr-bypass-dpi {
	}
}
table inet fw4 {
	ct helper amanda {
		type "amanda" protocol udp
		l3proto inet
	}

	ct helper ftp {
		type "ftp" protocol tcp
		l3proto inet
	}

	ct helper RAS {
		type "RAS" protocol udp
		l3proto inet
	}

	ct helper Q.931 {
		type "Q.931" protocol tcp
		l3proto inet
	}

	ct helper irc {
		type "irc" protocol tcp
		l3proto ip
	}

	ct helper netbios-ns {
		type "netbios-ns" protocol udp
		l3proto ip
	}

	ct helper pptp {
		type "pptp" protocol tcp
		l3proto ip
	}

	ct helper sane {
		type "sane" protocol tcp
		l3proto inet
	}

	ct helper sip {
		type "sip" protocol udp
		l3proto inet
	}

	ct helper snmp {
		type "snmp" protocol udp
		l3proto ip
	}

	ct helper tftp {
		type "tftp" protocol udp
		l3proto inet
	}

	set bypass_netflix {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 23.246.0.0/18, 37.77.184.0/21,
			     45.57.0.0/17, 64.120.128.0/17,
			     66.197.128.0/17, 69.53.224.0/19,
			     108.175.32.0/20, 185.2.220.0/22,
			     185.9.188.0/22, 192.173.64.0/18,
			     198.38.96.0/19, 198.45.48.0/20,
			     207.45.72.0/22, 208.75.76.0/22 }
	}

	set bypass6_netflix {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set bypass_whatsapp {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 3.33.221.48, 3.33.252.61,
			     15.197.206.217, 15.197.210.208,
			     31.13.64.60/31, 31.13.65.49-31.13.65.50,
			     31.13.66.51, 31.13.66.56,
			     31.13.67.52/31, 31.13.68.60/31,
			     31.13.69.60/31, 31.13.70.49-31.13.70.50,
			     31.13.71.49-31.13.71.50, 31.13.72.48,
			     31.13.72.52, 31.13.73.52/31,
			     31.13.74.52/31, 31.13.75.60/31,
			     31.13.76.60/31, 31.13.77.60/31,
			     31.13.78.60/31, 31.13.79.53-31.13.79.54,
			     31.13.80.48, 31.13.80.53,
			     31.13.81.48, 31.13.81.53,
			     31.13.82.51, 31.13.82.55,
			     31.13.83.49, 31.13.83.51,
			     31.13.84.49, 31.13.84.51,
			     31.13.85.49, 31.13.85.51,
			     31.13.86.49, 31.13.86.51,
			     31.13.87.48, 31.13.87.51,
			     31.13.88.60/31, 31.13.89.53-31.13.89.54,
			     31.13.90.60/31, 31.13.91.60/31,
			     31.13.92.48, 31.13.92.52,
			     31.13.93.53-31.13.93.54, 31.13.94.52,
			     31.13.94.54, 31.13.95.60/31,
			     34.192.181.12, 34.193.38.112,
			     34.194.71.217, 34.194.255.230,
			     69.171.250.60/31, 102.132.96.54/31,
			     102.132.97.54/31, 102.132.98.60/31,
			     102.132.99.60/31, 102.132.100.60/31,
			     102.132.101.60/31, 102.132.102.60/31,
			     102.132.103.60/31, 102.132.104.60/31,
			     102.132.105.60/31, 102.132.106.60/31,
			     102.132.107.60/31, 102.132.108.60/31,
			     102.132.109.60/31, 102.132.110.60/31,
			     102.132.111.60/31, 157.240.0.60/31,
			     157.240.1.60/31, 157.240.2.53-157.240.2.54,
			     157.240.3.54/31, 157.240.4.60/31,
			     157.240.5.60/31, 157.240.6.53-157.240.6.54,
			     157.240.7.53-157.240.7.54, 157.240.8.53-157.240.8.54,
			     157.240.9.53-157.240.9.54, 157.240.10.53-157.240.10.54,
			     157.240.11.53-157.240.11.54, 157.240.12.53-157.240.12.54,
			     157.240.13.54/31, 157.240.14.52/31,
			     157.240.15.60/31, 157.240.16.52/31,
			     157.240.17.60/31, 157.240.18.52/31,
			     157.240.19.53-157.240.19.54, 157.240.20.52/31,
			     157.240.21.52/31, 157.240.22.53-157.240.22.54,
			     157.240.23.53-157.240.23.54, 157.240.24.60/31,
			     157.240.25.60/31, 157.240.26.54/31,
			     157.240.27.54/31, 157.240.28.51,
			     157.240.28.55, 157.240.29.60/31,
			     157.240.30.54/31, 157.240.31.60/31,
			     157.240.192.52, 157.240.192.55,
			     157.240.193.60/31, 157.240.194.54/31,
			     157.240.195.54, 157.240.195.56,
			     157.240.196.60/31, 157.240.197.60/31,
			     157.240.198.60/31, 157.240.199.60/31,
			     157.240.200.60/31, 157.240.201.60/31,
			     157.240.202.60/31, 157.240.203.60/31,
			     157.240.204.60/31, 157.240.205.60/31,
			     157.240.206.60/31, 157.240.207.60/31,
			     157.240.208.60/31, 157.240.209.60/31,
			     157.240.210.60/31, 157.240.211.60/31,
			     157.240.212.60/31, 157.240.213.60/31,
			     157.240.214.60/31, 157.240.215.60/31,
			     157.240.216.60/31, 157.240.217.60/31,
			     157.240.218.60/31, 157.240.219.60/31,
			     157.240.220.60/31, 157.240.221.60/31,
			     157.240.222.60/31, 157.240.223.60/31,
			     157.240.224.60/31, 157.240.225.60/31,
			     157.240.226.60/31, 157.240.227.60/31,
			     157.240.228.60/31, 157.240.229.60/31,
			     157.240.231.60/31, 157.240.232.60/31,
			     157.240.233.60/31, 157.240.234.60/31,
			     157.240.235.60/31, 157.240.236.60/31,
			     157.240.237.60/31, 157.240.238.60/31,
			     157.240.239.60/31, 157.240.240.60/31,
			     157.240.241.60/31, 157.240.242.60/31,
			     157.240.243.60/31, 157.240.244.60/31,
			     157.240.245.60/31, 157.240.246.60/31,
			     157.240.247.60/31, 157.240.248.60/31,
			     157.240.249.60/31, 157.240.250.60/31,
			     157.240.251.60/31, 157.240.252.60/31,
			     157.240.253.60/31, 157.240.254.60/31,
			     163.70.128.60/31, 163.70.129.60/31,
			     163.70.130.60/31, 163.70.131.60/31,
			     163.70.132.60/31, 163.70.133.60/31,
			     163.70.134.60/31, 163.70.135.60/31,
			     163.70.136.60/31, 163.70.137.60/31,
			     163.70.138.60/31, 163.70.139.60/31,
			     163.70.140.60/31, 163.70.141.60/31,
			     163.70.142.60/31, 163.70.143.60/31,
			     163.70.144.60/31, 163.70.145.60/31,
			     163.70.146.60/31, 163.70.147.60/31,
			     163.70.148.60/31, 163.70.149.60/31,
			     163.70.150.60/31, 163.70.151.60/31,
			     163.70.152.60/31, 163.70.153.60/31,
			     163.70.154.60/31, 163.70.155.60/31,
			     163.70.156.60/31, 163.70.157.60/31,
			     163.70.158.60/31, 163.70.159.60/31,
			     179.60.192.49, 179.60.192.51,
			     179.60.193.60/31, 179.60.194.53-179.60.194.54,
			     179.60.195.49, 179.60.195.51,
			     185.60.216.53-185.60.216.54, 185.60.217.53-185.60.217.54,
			     185.60.218.53-185.60.218.54, 185.60.219.60/31 }
	}

	set bypass6_whatsapp {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set bypass_amazon_aws {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 3.0.0.0-3.2.5.255, 3.2.8.0/21,
			     3.2.48.0-3.2.56.255, 3.3.0.0-3.3.2.255,
			     3.3.5.0-3.3.33.255, 3.4.0.0-3.4.4.255,
			     3.4.6.0/24, 3.4.8.0-3.4.10.255,
			     3.4.15.0/28, 3.4.16.0-3.4.47.255,
			     3.5.0.0-3.5.59.255, 3.5.64.0-3.5.73.255,
			     3.5.76.0-3.5.87.255, 3.5.128.0-3.5.169.255,
			     3.5.172.0/22, 3.5.180.0-3.5.191.255,
			     3.5.202.0-3.32.255.255, 3.33.34.0/23,
			     3.33.40.0/21, 3.33.128.0-3.39.255.255,
			     3.64.0.0-3.99.255.255, 3.101.0.0/16,
			     3.104.0.0-3.115.255.255, 3.120.0.0-3.151.255.255,
			     3.160.0.0-3.172.63.255, 3.208.0.0-3.239.255.255,
			     3.248.0.0/13, 13.32.0.0/15,
			     13.35.0.0-13.43.255.255, 13.48.0.0/12,
			     13.112.0.0/14, 13.124.0.0/14,
			     13.184.0.0-13.215.255.255, 13.224.0.0/12,
			     13.244.0.0-13.248.73.255, 13.248.75.0/24,
			     13.248.96.0-13.251.255.255, 15.145.0.0-15.145.5.255,
			     15.145.8.0-15.145.25.255, 15.152.0.0/16,
			     15.156.0.0-15.158.255.255, 15.160.0.0/15,
			     15.164.0.0/15, 15.168.0.0/16,
			     15.177.0.0-15.177.100.255, 15.181.0.0-15.181.254.255,
			     15.184.0.0/15, 15.188.0.0/16,
			     15.190.0.0-15.190.11.255, 15.190.16.0-15.190.63.255,
			     15.193.0.0/19, 15.197.0.0-15.197.39.255,
			     15.197.64.0/19, 15.197.128.0/17,
			     15.200.0.0/16, 15.205.0.0-15.207.255.255,
			     15.220.0.0-15.220.207.255, 15.220.208.128/26,
			     15.220.216.0-15.221.53.255, 15.221.128.0/21,
			     15.221.144.0-15.221.153.255, 15.221.160.0/21,
			     15.222.0.0/15, 15.228.0.0/15,
			     15.230.0.4-15.230.0.9, 15.230.0.12-15.230.0.14,
			     15.230.1.0/24, 15.230.3.0/24,
			     15.230.4.19, 15.230.4.128/30,
			     15.230.4.148-15.230.4.167, 15.230.4.176/28,
			     15.230.5.0-15.230.6.255, 15.230.9.10-15.230.9.15,
			     15.230.9.44/30, 15.230.9.248,
			     15.230.9.252/31, 15.230.10.0/24,
			     15.230.14.0-15.230.15.0, 15.230.15.3-15.230.15.11,
			     15.230.15.13-15.230.15.16, 15.230.15.24-15.230.15.195,
			     15.230.15.200-15.230.15.219, 15.230.15.254-15.230.16.255,
			     15.230.18.0/23, 15.230.21.0-15.230.32.255,
			     15.230.35.0-15.230.43.255, 15.230.48.0-15.230.63.6,
			     15.230.63.8/30, 15.230.64.0-15.230.79.191,
			     15.230.80.0-15.230.100.2, 15.230.101.0-15.230.107.0,
			     15.230.107.2/31, 15.230.108.0-15.230.117.1,
			     15.230.118.0-15.230.119.1, 15.230.120.0/31,
			     15.230.121.0-15.230.121.9, 15.230.129.0-15.230.138.255,
			     15.230.140.0-15.230.145.255, 15.230.147.0-15.230.149.5,
			     15.230.149.8/30, 15.230.150.0-15.230.169.7,
			     15.230.170.0/23, 15.230.173.0-15.230.174.255,
			     15.230.176.0-15.230.177.4, 15.230.178.0-15.230.179.23,
			     15.230.180.0-15.230.190.255, 15.230.192.0-15.230.199.15,
			     15.230.200.0-15.230.202.3, 15.230.203.0-15.230.204.127,
			     15.230.205.0-15.230.216.13, 15.230.217.0-15.230.223.7,
			     15.230.240.0-15.230.251.7, 15.230.252.0-15.230.254.4,
			     15.230.255.0/24, 15.236.0.0/15,
			     15.248.8.0/22, 15.248.16.0-15.248.43.255,
			     15.248.48.0-15.248.71.255, 15.248.80.0/20,
			     15.248.104.0/24, 15.248.136.0/24,
			     15.251.0.0/28, 15.251.0.20-15.251.0.29,
			     15.251.0.33-15.251.0.34, 15.251.0.47-15.251.0.48,
			     15.253.0.0-15.254.255.255, 16.12.0.0-16.12.2.255,
			     16.12.4.0-16.12.21.255, 16.12.24.0-16.12.44.255,
			     16.12.48.0-16.12.67.255, 16.12.74.0/24,
			     16.15.0.0/21, 16.15.176.0-16.16.255.255,
			     16.24.0.0/13, 16.50.0.0-16.56.63.255,
			     16.56.128.0/18, 16.57.0.0/18,
			     16.62.0.0-16.67.255.255, 16.78.0.0/15,
			     16.154.0.0-16.159.255.255, 16.162.0.0/15,
			     16.168.0.0/14, 16.176.0.0/14,
			     16.182.0.0/16, 16.184.0.0/14,
			     18.34.0.0/19, 18.34.48.0/20,
			     18.34.72.0/21, 18.34.232.0/21,
			     18.34.244.0/22, 18.34.252.0/22,
			     18.60.0.0/15, 18.64.0.0-18.68.255.255,
			     18.88.0.0/18, 18.88.128.0/18,
			     18.89.0.0/18, 18.89.128.0/18,
			     18.96.0.0-18.96.2.255, 18.96.16.0-18.97.63.255,
			     18.97.128.0-18.102.255.255, 18.116.0.0/14,
			     18.130.0.0/16, 18.132.0.0-18.136.255.255,
			     18.138.0.0-18.145.255.255, 18.153.0.0-18.173.255.255,
			     18.175.0.0-18.185.255.255, 18.188.0.0-18.239.255.255,
			     18.244.0.0-18.246.255.255, 18.252.0.0-18.254.255.255,
			     23.20.0.0/14, 23.160.0.0/24,
			     27.0.0.0/22, 34.192.0.0/10,
			     35.71.64.0-35.71.75.255, 35.71.96.0-35.71.121.255,
			     35.71.128.0-35.96.1.255, 35.96.16.0-35.96.159.255,
			     35.152.0.0-35.183.255.255, 36.103.232.0-36.103.232.191,
			     40.164.0.0/14, 40.172.0.0-40.181.255.255,
			     40.192.0.0/14, 43.192.0.0-43.193.63.255,
			     43.194.0.0-43.196.255.255, 43.198.0.0-43.207.255.255,
			     43.216.0.0-43.218.255.255, 43.249.44.0/22,
			     43.250.192.0/23, 44.192.0.0/10,
			     45.113.128.0/22, 46.51.128.0-46.51.211.255,
			     46.51.216.0-46.51.255.255, 46.137.0.0/16,
			     47.128.0.0/14, 50.16.0.0/14,
			     50.112.0.0/16, 51.0.0.0-51.0.29.15,
			     51.0.29.128/28, 51.0.80.0-51.0.119.255,
			     51.0.128.0/21, 51.16.0.0/15,
			     51.20.0.0/15, 51.24.0.0/16,
			     51.34.0.0/15, 51.44.0.0/14,
			     51.84.0.0/14, 51.92.0.0-51.96.255.255,
			     51.100.0.0/15, 51.112.0.0/16,
			     51.118.0.0/15, 51.224.0.0/14,
			     52.0.0.0-52.46.159.255, 52.46.164.0-52.46.187.255,
			     52.46.192.0-52.46.243.255, 52.46.249.0-52.82.169.31,
			     52.82.170.0/23, 52.82.176.0-52.82.185.255,
			     52.82.187.0-52.93.12.255, 52.93.14.0/24,
			     52.93.16.0-52.93.21.255, 52.93.22.48-52.93.22.71,
			     52.93.23.0-52.93.31.255, 52.93.32.176,
			     52.93.32.179-52.93.32.180, 52.93.32.183-52.93.32.184,
			     52.93.33.224/31, 52.93.34.0-52.93.45.255,
			     52.93.47.0-52.93.51.255, 52.93.55.144-52.93.55.149,
			     52.93.55.152-52.93.55.167, 52.93.56.0-52.93.69.255,
			     52.93.70.40/29, 52.93.70.128/25,
			     52.93.71.37-52.93.71.47, 52.93.72.0-52.93.83.255,
			     52.93.87.96/27, 52.93.91.96-52.93.91.115,
			     52.93.92.0-52.93.101.255, 52.93.111.0-52.93.113.255,
			     52.93.115.0-52.93.116.255, 52.93.119.144/30,
			     52.93.120.176/30, 52.93.121.187-52.93.121.190,
			     52.93.121.195-52.93.121.198, 52.93.122.131,
			     52.93.122.202/31, 52.93.122.218,
			     52.93.122.255, 52.93.123.6,
			     52.93.123.11, 52.93.123.98/31,
			     52.93.123.136, 52.93.123.255,
			     52.93.124.14/31, 52.93.124.96/31,
			     52.93.124.210-52.93.124.213, 52.93.125.42/31,
			     52.93.126.76, 52.93.126.122/31,
			     52.93.126.130-52.93.126.139, 52.93.126.144/30,
			     52.93.126.198/31, 52.93.126.204/30,
			     52.93.126.212/30, 52.93.126.234/31,
			     52.93.126.244/31, 52.93.126.250/31,
			     52.93.127.17-52.93.127.19, 52.93.127.24/30,
			     52.93.127.68/30, 52.93.127.92-52.93.127.133,
			     52.93.127.138/31, 52.93.127.146-52.93.127.149,
			     52.93.127.152-52.93.127.169, 52.93.127.172-52.93.127.185,
			     52.93.127.194-52.93.127.207, 52.93.127.216-52.93.127.221,
			     52.93.127.232, 52.93.127.237-52.93.127.239,
			     52.93.127.244-52.93.127.255, 52.93.129.95,
			     52.93.131.217, 52.93.133.127,
			     52.93.133.129, 52.93.133.131,
			     52.93.133.133, 52.93.133.153,
			     52.93.133.155, 52.93.133.175,
			     52.93.133.177, 52.93.133.179,
			     52.93.133.181, 52.93.134.181,
			     52.93.135.195, 52.93.136.0-52.93.140.255,
			     52.93.141.128/25, 52.93.146.0-52.93.148.191,
			     52.93.149.0-52.93.151.255, 52.93.153.80,
			     52.93.153.148/31, 52.93.153.168-52.93.153.179,
			     52.93.156.0/22, 52.93.178.128-52.93.178.235,
			     52.93.182.128/26, 52.93.183.64/27,
			     52.93.193.192-52.93.193.203, 52.93.198.0/25,
			     52.93.199.24-52.93.199.47, 52.93.199.88-52.93.199.111,
			     52.93.201.80-52.93.201.111, 52.93.229.148/31,
			     52.93.236.0-52.93.245.255, 52.93.246.216/29,
			     52.93.247.0/25, 52.93.248.0/22,
			     52.93.254.0-52.94.20.255, 52.94.22.0-52.94.30.255,
			     52.94.32.0-52.94.69.255, 52.94.72.0-52.94.146.255,
			     52.94.148.0/22, 52.94.152.3,
			     52.94.152.9, 52.94.152.11-52.94.152.12,
			     52.94.152.44, 52.94.152.60-52.94.152.69,
			     52.94.152.176-52.94.152.195, 52.94.160.0-52.94.198.159,
			     52.94.199.0-52.94.201.127, 52.94.204.0-52.94.248.239,
			     52.94.249.32-52.94.250.63, 52.94.250.80/28,
			     52.94.252.0-52.95.29.63, 52.95.30.0/23,
			     52.95.34.0-52.95.42.255, 52.95.48.0-52.95.219.255,
			     52.95.224.0-52.95.230.255, 52.95.235.0/24,
			     52.95.239.0-52.95.255.159, 52.119.128.0-52.119.199.255,
			     52.119.205.0-52.119.249.255, 52.119.252.0/22,
			     52.124.128.0/17, 52.129.130.0/23,
			     52.144.133.32/27, 52.144.192.0-52.144.193.191,
			     52.144.194.0-52.144.195.63, 52.144.196.192/26,
			     52.144.197.128/25, 52.144.199.128/26,
			     52.144.200.64-52.144.200.191, 52.144.201.64-52.144.201.191,
			     52.144.205.0/26, 52.144.208.0/30,
			     52.144.208.64-52.144.211.203, 52.144.212.64/26,
			     52.144.212.192/26, 52.144.213.64/26,
			     52.144.214.128/26, 52.144.215.0/30,
			     52.144.215.192-52.144.215.203, 52.144.216.0-52.144.216.11,
			     52.144.218.0/25, 52.144.223.64-52.144.223.191,
			     52.144.224.64-52.144.225.191, 52.144.227.64/26,
			     52.144.227.192-52.144.228.3, 52.144.228.64-52.144.229.127,
			     52.144.230.0/26, 52.144.230.204-52.144.230.211,
			     52.144.231.64/26, 52.144.233.64/29,
			     52.144.233.128/29, 52.144.233.192/26,
			     52.192.0.0-52.219.20.255, 52.219.24.0-52.219.47.255,
			     52.219.56.0-52.219.75.255, 52.219.80.0-52.219.221.255,
			     52.219.224.0-52.219.235.255, 52.219.254.0-52.223.127.255,
			     52.223.192.0/18, 54.20.0.0/15,
			     54.25.15.0/24, 54.25.20.0/24,
			     54.25.82.0/24, 54.26.166.0/24,
			     54.46.0.0/15, 54.64.0.0/11,
			     54.112.0.0/18, 54.116.0.0/15,
			     54.144.0.0-54.222.39.255, 54.222.48.0/21,
			     54.222.57.0-54.222.58.15, 54.222.58.32/27,
			     54.222.64.0/24, 54.222.66.0-54.222.71.255,
			     54.222.76.0-54.222.103.255, 54.222.112.0-54.239.39.255,
			     54.239.40.152/29, 54.239.48.0-54.239.71.255,
			     54.239.96.0/24, 54.239.98.0-54.239.103.191,
			     54.239.104.0-54.239.114.191, 54.239.115.0/25,
			     54.239.116.0-54.239.223.255, 54.240.128.0-54.240.200.255,
			     54.240.202.0-54.240.223.255, 54.240.225.0-54.240.235.255,
			     54.240.236.1-54.240.236.2, 54.240.236.5-54.240.236.6,
			     54.240.236.9-54.240.236.10, 54.240.236.13-54.240.236.14,
			     54.240.236.17-54.240.236.18, 54.240.236.21-54.240.236.22,
			     54.240.236.25-54.240.236.26, 54.240.236.29-54.240.236.30,
			     54.240.236.33-54.240.236.34, 54.240.236.37-54.240.236.38,
			     54.240.236.41-54.240.236.42, 54.240.236.45-54.240.236.46,
			     54.240.236.49-54.240.236.50, 54.240.236.53-54.240.236.54,
			     54.240.236.57-54.240.236.58, 54.240.236.61-54.240.236.62,
			     54.240.236.65-54.240.236.66, 54.240.236.69-54.240.236.70,
			     54.240.236.73-54.240.236.74, 54.240.236.77-54.240.236.78,
			     54.240.236.81-54.240.236.82, 54.240.236.85-54.240.236.86,
			     54.240.236.89-54.240.236.90, 54.240.236.93-54.240.236.94,
			     54.240.241.0-54.255.255.255, 56.48.0.0/13,
			     56.68.0.0/14, 56.96.0.0/14,
			     56.112.0.0/14, 56.124.0.0-56.131.255.255,
			     56.136.0.0/14, 56.155.0.0-56.157.255.255,
			     56.159.0.0/16, 56.162.0.0/16,
			     56.164.0.0/16, 56.184.0.0/14,
			     56.228.0.0/14, 56.240.0.0/14,
			     57.180.0.0/14, 58.254.138.0-58.254.138.191,
			     63.32.0.0/14, 63.176.0.0/12,
			     63.246.112.0/22, 63.246.119.0-63.246.127.255,
			     64.187.128.0/20, 64.252.64.0-64.252.191.255,
			     65.0.0.0/14, 65.8.0.0-65.9.191.255,
			     65.176.0.0/14, 67.202.0.0/18,
			     67.220.224.0/19, 68.66.112.0/20,
			     68.79.0.0/18, 69.107.3.176/28,
			     69.107.6.112/28, 69.107.6.160/28,
			     69.107.6.200-69.107.6.231, 69.107.7.0-69.107.7.23,
			     69.107.7.32-69.107.7.143, 69.230.192.0/18,
			     69.231.128.0/18, 69.234.192.0/18,
			     69.235.128.0/18, 70.132.0.0/18,
			     70.224.192.0/18, 70.232.64.0/18,
			     71.131.192.0-71.132.63.255, 71.136.64.0/18,
			     71.137.0.0/18, 71.141.0.0/20,
			     71.152.0.0/17, 72.21.192.0/19,
			     72.41.0.0/20, 72.44.32.0/19,
			     75.2.0.0/17, 75.79.0.0/16,
			     75.101.128.0/17, 76.223.0.0/17,
			     76.223.168.0-76.223.170.15, 76.223.170.32/28,
			     76.223.172.0/22, 79.125.0.0/17,
			     83.118.240.0/21, 83.119.128.0/18,
			     87.238.80.0/21, 96.0.0.0-96.0.108.255,
			     96.0.110.0-96.0.175.255, 96.127.0.0/17,
			     98.80.0.0/12, 98.130.0.0/15,
			     99.77.0.0/18, 99.77.128.0/18,
			     99.77.232.0-99.77.254.255, 99.78.128.0-99.78.172.255,
			     99.78.176.0-99.78.199.255, 99.78.208.0/20,
			     99.78.228.0-99.82.3.255, 99.82.8.0/21,
			     99.82.128.0/18, 99.83.64.0-99.83.104.255,
			     99.83.112.0-99.83.123.255, 99.83.128.0-99.84.255.255,
			     99.86.0.0-99.87.35.255, 99.150.0.0/17,
			     99.151.64.0-99.151.175.255, 99.151.184.0/21,
			     99.181.64.0/18, 100.20.0.0-100.31.255.255,
			     103.4.8.0/21, 103.8.172.0/22,
			     103.53.48.0/22, 103.246.148.0/22,
			     104.153.112.0-104.153.116.255, 104.153.118.0/24,
			     104.255.56.11-104.255.56.12, 104.255.56.15-104.255.56.20,
			     104.255.56.23-104.255.56.29, 104.255.59.81-104.255.59.83,
			     104.255.59.85-104.255.59.88, 104.255.59.91,
			     104.255.59.101-104.255.59.106, 104.255.59.114/31,
			     104.255.59.118/31, 104.255.59.122-104.255.59.127,
			     104.255.59.130-104.255.59.139, 104.255.59.196-104.255.59.201,
			     107.20.0.0/14, 107.176.0.0/15,
			     108.128.0.0-108.139.255.255, 108.156.0.0/14,
			     108.166.224.0/19, 108.175.48.0/20,
			     111.13.171.128/25, 111.13.185.32-111.13.185.95,
			     116.129.226.0-116.129.226.191, 118.193.97.64-118.193.97.255,
			     119.147.182.0-119.147.182.191, 120.52.12.64/26,
			     120.52.22.96/27, 120.52.39.128/27,
			     120.52.153.192/26, 120.232.236.0-120.232.236.191,
			     120.253.240.192/26, 120.253.241.160/27,
			     120.253.245.128-120.253.245.223, 122.248.192.0/18,
			     130.176.0.0-130.176.239.255, 130.176.254.0/23,
			     136.8.0.0/15, 136.18.0.0/23,
			     136.18.18.0-136.18.23.255, 136.18.32.0-136.18.34.255,
			     136.18.50.0/23, 136.18.128.0-136.18.141.255,
			     136.18.254.0/23, 139.56.16.0-139.56.34.255,
			     140.179.0.0/16, 142.4.177.0-142.4.180.255,
			     143.204.0.0/16, 144.220.0.0/16,
			     150.222.0.0-150.222.14.255, 150.222.15.124-150.222.15.133,
			     150.222.26.0-150.222.45.95, 150.222.45.128-150.222.53.31,
			     150.222.64.0/22, 150.222.68.116/31,
			     150.222.69.0-150.222.123.255, 150.222.129.0/24,
			     150.222.133.0-150.222.138.255, 150.222.139.116-150.222.139.127,
			     150.222.140.0/22, 150.222.164.208/29,
			     150.222.164.220-150.222.164.222, 150.222.176.0-150.222.180.255,
			     150.222.182.14-150.222.182.17, 150.222.196.0/24,
			     150.222.199.0/25, 150.222.200.60/31,
			     150.222.202.0-150.222.208.255, 150.222.210.0-150.222.224.255,
			     150.222.226.0-150.222.234.87, 150.222.234.96-150.222.234.143,
			     150.222.235.0-150.222.239.255, 150.222.242.84/31,
			     150.222.242.214/31, 150.222.245.122/31,
			     150.222.252.244-150.222.252.251, 151.148.8.0-151.148.16.6,
			     151.148.16.8/30, 151.148.17.0-151.148.20.255,
			     151.148.32.0-151.148.41.255, 155.146.0.0/16,
			     156.4.0.0/15, 157.175.0.0/16,
			     157.241.0.0/16, 159.248.200.0/21,
			     159.248.216.0-159.248.247.255, 160.1.0.0/16,
			     161.178.0.0/18, 161.178.128.0/18,
			     161.188.0.0-161.188.47.255, 161.188.127.0/24,
			     161.189.0.0/16, 161.193.0.0/18,
			     161.193.128.0/18, 162.208.121.0/24,
			     162.213.232.0/22, 162.222.148.0/22,
			     162.250.236.0/22, 168.185.4.0/23,
			     172.96.97.0-172.96.98.255, 172.96.110.0/24,
			     173.83.192.0-173.83.198.255, 173.83.200.0-173.83.214.255,
			     173.83.216.0-173.83.220.255, 174.129.0.0/16,
			     175.41.128.0/17, 176.32.64.0-176.32.123.255,
			     176.32.124.128-176.32.125.255, 176.34.0.0/16,
			     177.71.128.0/17, 177.72.240.0/21,
			     178.236.0.0/20, 180.163.57.0-180.163.57.191,
			     182.24.0.0-182.30.255.255, 184.32.0.0/12,
			     184.72.0.0/15, 184.169.128.0/17,
			     185.42.204.0/22, 185.48.120.0/22,
			     185.143.16.0/24, 192.16.64.0/21,
			     192.31.212.0/23, 192.43.175.0/24,
			     192.43.184.0/24, 192.108.239.0/24,
			     192.157.32.0-192.157.34.255, 192.157.72.0/23,
			     192.189.196.0/24, 195.17.0.0/24,
			     198.99.2.0/24, 199.9.248.0/21,
			     199.127.232.0/22, 203.83.220.0/22,
			     204.87.185.0/24, 204.236.128.0/17,
			     204.246.160.0/19, 205.251.192.0/19,
			     205.251.225.0-205.251.226.255, 205.251.228.0-205.251.254.255,
			     207.171.160.0/19, 208.78.128.0/21,
			     208.86.88.0/22, 208.110.48.0/20,
			     209.54.176.0/20, 216.39.136.0/21,
			     216.39.152.0-216.39.175.255, 216.137.32.0/19,
			     216.182.224.0/20 }
	}

	set bypass6_amazon_aws {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set omr_dscp_cs0_4 {
		type ipv4_addr
	}

	set omr_dscp_cs1_4 {
		type ipv4_addr
	}

	set omr_dscp_cs2_4 {
		type ipv4_addr
		elements = { 142.251.36.164, 142.251.36.170,
			     142.251.36.202, 142.251.36.227,
			     142.251.36.234, 142.251.36.238,
			     142.251.37.10, 172.217.16.170,
			     173.194.76.84 }
	}

	set omr_dscp_cs3_4 {
		type ipv4_addr
	}

	set omr_dscp_cs4_4 {
		type ipv4_addr
		elements = { 18.236.7.30, 34.252.74.1,
			     45.57.105.141, 107.20.175.192,
			     198.38.109.219 }
	}

	set omr_dscp_cs5_4 {
		type ipv4_addr
	}

	set omr_dscp_cs6_4 {
		type ipv4_addr
	}

	set omr_dscp_cs7_4 {
		type ipv4_addr
	}

	set omr_dscp_ef_4 {
		type ipv4_addr
	}

	set omr_dst_bypass_eth0_4 {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_eth0_6 {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_wan1_4 {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_wan1_6 {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_wan2_4 {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_wan2_6 {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_tun0_4 {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_tun0_6 {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_all_4 {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 18.200.8.190, 18.236.7.30,
			     23.218.165.59, 34.160.111.145,
			     34.252.74.1, 54.73.148.110,
			     54.155.246.232, 107.20.175.192,
			     207.45.72.215 }
	}

	set omr_dst_bypass_all_6 {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_src_bypass {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_bypass {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_src_forward {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_forward {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_src_checkdst {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_checkdst {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_remote_servers {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { <redacted - vps ip> }
	}

	set ss_rules6_remote_servers {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_bypass {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_bypass {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_bypass_ {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 0.0.0.0/8, 10.0.0.0/8,
			     100.64.0.0/10, 127.0.0.0/8,
			     169.254.0.0/16, 172.16.0.0/12,
			     192.0.0.0/24, 192.0.2.0/24,
			     192.31.196.0/24, 192.52.193.0/24,
			     192.88.99.0/24, 192.168.0.0/16,
			     192.175.48.0/24, 198.18.0.0/15,
			     198.51.100.0/24, 203.0.113.0/24,
			     224.0.0.0/3 }
	}

	set ss_rules6_dst_bypass_ {
		type ipv6_addr
		flags interval
		auto-merge
		elements = { ::/127,
			     ::ffff:0.0.0.0/96,
			     64:ff9b:1::/48,
			     100::/64,
			     2001::/23,
			     fc00::/7,
			     fe80::/10 }
	}

	set ss_rules_dst_forward {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_forward {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_forward_rrst_ {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_forward_rrst_ {
		type ipv6_addr
		flags interval
		auto-merge
	}

	chain ss_rules_pre_tcp {
		type nat hook prerouting priority filter + 1; policy accept;
		meta mark 0x00004539 accept
		ip daddr @omr_dst_bypass_all_4 accept
		meta mark 0x45391500 accept
		ip daddr @omr_dst_bypass_tun0_4 accept
		meta mark 0x00045397 accept
		ip daddr @omr_dst_bypass_wan2_4 accept
		meta mark 0x00045396 accept
		ip daddr @omr_dst_bypass_wan1_4 accept
		meta mark 0x45399999 accept
		ip daddr @omr_dst_bypass_eth0_4 accept
		meta mark 0x00004539 accept
		ip daddr @omr_dst_bypass_all_4 accept
		meta mark 0x45391500 accept
		ip daddr @omr_dst_bypass_tun0_4 accept
		meta mark 0x00045397 accept
		ip daddr @omr_dst_bypass_wan2_4 accept
		meta mark 0x00045396 accept
		ip daddr @omr_dst_bypass_wan1_4 accept
		meta mark 0x45399999 accept
		ip daddr @omr_dst_bypass_eth0_4 accept
		meta l4proto tcp iifname { "lo", "eth0" } goto ss_rules_pre_src_tcp
	}

	chain ss_rules_pre_src_tcp {
		ip daddr @ss_rules_dst_bypass_ accept
		ip6 daddr @ss_rules6_dst_bypass_ accept
		goto ss_rules_src_tcp
	}

	chain ss_rules_src_tcp {
		ip saddr @ss_rules_src_bypass accept
		ip saddr @ss_rules_src_forward goto ss_rules_forward_tcp
		ip saddr @ss_rules_src_checkdst goto ss_rules_dst_tcp
		ip6 saddr @ss_rules6_src_bypass accept
		ip6 saddr @ss_rules6_src_forward goto ss_rules_forward_tcp
		ip6 saddr @ss_rules6_src_checkdst goto ss_rules_dst_tcp
		goto ss_rules_forward_tcp
	}

	chain ss_rules_dst_tcp {
		ip daddr @ss_rules_dst_bypass accept
		ip daddr @ss_rules_remote_servers accept
		ip daddr @ss_rules_dst_forward goto ss_rules_forward_tcp
		ip6 daddr @ss_rules6_dst_bypass accept
		ip6 daddr @ss_rules6_remote_servers accept
		ip6 daddr @ss_rules6_dst_forward goto ss_rules_forward_tcp
		goto ss_rules_forward_tcp
	}

	chain ss_rules_forward_tcp {
		meta l4proto tcp redirect to :1100
	}

	chain ss_rules_local_out {
		type nat hook output priority filter - 1; policy accept;
		meta mark 0x00004539 accept
		ip daddr @omr_dst_bypass_all_4 accept
		meta mark 0x45391500 accept
		ip daddr @omr_dst_bypass_tun0_4 accept
		meta mark 0x00045397 accept
		ip daddr @omr_dst_bypass_wan2_4 accept
		meta mark 0x00045396 accept
		ip daddr @omr_dst_bypass_wan1_4 accept
		meta mark 0x45399999 accept
		ip daddr @omr_dst_bypass_eth0_4 accept
		meta mark 0x00004539 accept
		ip daddr @omr_dst_bypass_all_4 accept
		meta mark 0x45391500 accept
		ip daddr @omr_dst_bypass_tun0_4 accept
		meta mark 0x00045397 accept
		ip daddr @omr_dst_bypass_wan2_4 accept
		meta mark 0x00045396 accept
		ip daddr @omr_dst_bypass_wan1_4 accept
		meta mark 0x45399999 accept
		ip daddr @omr_dst_bypass_eth0_4 accept
		meta l4proto != tcp accept
		ip daddr @ss_rules_remote_servers accept
		ip daddr @ss_rules_dst_bypass_ accept
		ip daddr @ss_rules_dst_bypass accept
		ip6 daddr @ss_rules6_remote_servers accept
		ip6 daddr @ss_rules6_dst_bypass_ accept
		ip6 daddr @ss_rules6_dst_bypass accept
		goto ss_rules_forward_tcp
	}

	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "eth0" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname { "wan1", "wan2" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		iifname "tun0" jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
		jump handle_reject
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
		icmp type echo-request limit rate 1000/second counter packets 4 bytes 192 accept comment "!fw4: Allow-All-Ping"
		icmpv6 type echo-request limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
		udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC All"
		iifname "eth0" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname { "wan1", "wan2" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		iifname "tun0" jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
		jump upnp_forward comment "Hook into miniupnpd forwarding chain"
		jump handle_reject
	}

	chain output {
		type filter hook output priority filter; policy drop;
		oif "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
		meta nfproto ipv4 meta mark 0x00004539 counter packets 0 bytes 0 accept comment "!fw4: omr_dst_bypass_all_rule_accept"
		oifname "eth0" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
		oifname { "wan1", "wan2" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
		oifname "tun0" jump output_vpn comment "!fw4: Handle vpn IPv4/IPv6 output traffic"
		jump handle_reject
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		icmp type echo-request limit rate 1000/second counter packets 67 bytes 5484 accept comment "!fw4: Allow-All-Ping"
		icmpv6 type echo-request limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
		udp dport 443 counter packets 69 bytes 85688 drop comment "!fw4: Block QUIC All"
		counter packets 14956 bytes 2498465 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
		counter packets 14956 bytes 2498465 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
		iifname "eth0" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 1 bytes 145 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 8 bytes 1712 accept comment "!fw4: ICMPv6-Lan-to-OMR"
		udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC Proxy"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump accept_from_lan
	}

	chain output_lan {
		jump accept_to_lan
	}

	chain forward_lan {
		counter packets 280 bytes 14332 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
		counter packets 181 bytes 7664 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_lan
	}

	chain helper_lan {
		udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
		tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
		udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
		tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
		meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
		meta nfproto ipv4 udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
		meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
		tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
		udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
		meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
		udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
	}

	chain accept_from_lan {
		iifname "eth0" counter packets 320 bytes 21987 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain accept_to_lan {
		oifname "eth0" counter packets 3 bytes 228 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
		meta nfproto ipv4 meta l4proto igmp counter packets 12 bytes 432 accept comment "!fw4: Allow-IGMP"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 16 bytes 3424 accept comment "!fw4: Allow IPv6 ICMP"
		icmpv6 type . icmpv6 code { nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow IPv6 ICMP"
		meta nfproto ipv6 udp sport 546 udp dport 547 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (546-to-547)"
		meta nfproto ipv6 udp sport 547 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (547-to-546)"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump reject_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump reject_to_wan
	}

	chain accept_to_wan {
		meta nfproto ipv4 oifname { "wan1", "wan2" } ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
		oifname { "wan1", "wan2" } counter packets 686 bytes 90764 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain reject_from_wan {
		iifname { "wan1", "wan2" } counter packets 10 bytes 966 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain reject_to_wan {
		oifname { "wan1", "wan2" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain input_vpn {
		meta l4proto { icmp, ipv6-icmp } counter packets 0 bytes 0 accept comment "!fw4: Allow-VPN-ICMP"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump reject_from_vpn
	}

	chain output_vpn {
		jump accept_to_vpn
	}

	chain forward_vpn {
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_vpn
	}

	chain accept_to_vpn {
		meta nfproto ipv4 oifname "tun0" ct state invalid counter packets 30 bytes 3048 drop comment "!fw4: Prevent NAT leakage"
		oifname "tun0" counter packets 395 bytes 26833 accept comment "!fw4: accept vpn IPv4/IPv6 traffic"
	}

	chain reject_from_vpn {
		iifname "tun0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic"
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname { "wan1", "wan2" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
		oifname "tun0" jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic"
		jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
	}

	chain srcnat_wan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
	}

	chain srcnat_vpn {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 vpn traffic"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
		iifname "eth0" ip daddr @bypass_amazon_aws counter packets 1646 bytes 170696 meta mark set 0x00004539 comment "!fw4: bypass_"
		iifname "eth0" ip6 daddr @bypass6_amazon_aws counter packets 0 bytes 0 meta mark set 0x00006539 comment "!fw4: bypass6_"
		iifname "eth0" ip daddr @omr_dst_bypass_all_4 counter packets 162 bytes 6480 meta mark set 0x00004539 comment "!fw4: omr_dst_bypass_all_rule"
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
		oifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 egress MTU fixing"
		oifname { "wan1", "wan2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
		oifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing"
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		meta l4proto tcp ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
		meta l4proto udp ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
		meta l4proto tcp ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
		meta l4proto udp ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
		meta l4proto tcp ip daddr @omr_dscp_cs2_4 counter packets 36 bytes 3525 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
		meta l4proto udp ip daddr @omr_dscp_cs2_4 counter packets 0 bytes 0 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
		meta l4proto tcp ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
		meta l4proto udp ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
		meta l4proto tcp ip daddr @omr_dscp_cs4_4 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
		meta l4proto udp ip daddr @omr_dscp_cs4_4 counter packets 69 bytes 2760 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
		meta l4proto tcp ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
		meta l4proto udp ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
		meta l4proto tcp ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
		meta l4proto udp ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
		meta l4proto tcp ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
		meta l4proto udp ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
		meta l4proto tcp ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
		meta l4proto udp ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
		meta l4proto icmp ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 213 bytes 19328 ip dscp set cs7 comment "!fw4: omr_dscp_rule1"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport { 53, 123, 5353 } udp dport 0-65535 counter packets 26 bytes 2136 ip dscp set cs4 comment "!fw4: omr_dscp_rule2"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport { 53, 5353 } tcp dport 0-65535 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule3"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport 65500 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule4"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65001, 65011, 65301, 65401 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule5"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport { 65001, 65301 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule6"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65101, 65228 } counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_rule7"
		iifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 ingress MTU fixing"
		iifname { "wan1", "wan2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
		iifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 ingress MTU fixing"
	}

	chain upnp_forward {
	}

	chain upnp_prerouting {
	}

	chain upnp_postrouting {
	}
}

Ysurac · 2024-12-07T16:17:41Z

There is some issues on whatapps and aws ranges...

Ysurac · 2024-12-10T08:16:58Z

Should be better in latest snapshot

Schinkentanz added the bug label Dec 1, 2024

Ysurac self-assigned this Dec 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OMR-Bypass doesn't work for subdomains (or only works for top-level domains) #3693

OMR-Bypass doesn't work for subdomains (or only works for top-level domains) #3693

Schinkentanz commented Dec 1, 2024

Ysurac commented Dec 2, 2024

Schinkentanz commented Dec 2, 2024

Ysurac commented Dec 3, 2024

Schinkentanz commented Dec 3, 2024

Ysurac commented Dec 5, 2024

Schinkentanz commented Dec 7, 2024

Ysurac commented Dec 7, 2024

Ysurac commented Dec 10, 2024

OMR-Bypass doesn't work for subdomains (or only works for top-level domains) #3693

OMR-Bypass doesn't work for subdomains (or only works for top-level domains) #3693

Comments

Schinkentanz commented Dec 1, 2024

Expected Behavior

Current Behavior

Steps to Reproduce the Problem

Specifications

Ysurac commented Dec 2, 2024

Schinkentanz commented Dec 2, 2024

Ysurac commented Dec 3, 2024

Schinkentanz commented Dec 3, 2024

Ysurac commented Dec 5, 2024

Schinkentanz commented Dec 7, 2024

Ysurac commented Dec 7, 2024

Ysurac commented Dec 10, 2024