luci-app-firewall: support 'DSCP' action and matches for rules

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

1 files changed, 80 insertions, 6 deletions

diff --git a/applications/luci-app-firewall/htdocs/luci-static/resources/view/firewall/rules.js b/applications/luci-app-firewall/htdocs/luci-static/resources/view/firewall/rules.js
index f26457140..9d8d8d155 100644
--- a/applications/luci-app-firewall/htdocs/luci-static/resources/view/firewall/rules.js
+++ b/applications/luci-app-firewall/htdocs/luci-static/resources/view/firewall/rules.js
@@ -395,6 +395,7 @@ return L.view.extend({
 		o.value('HELPER', _('assign conntrack helper'));
 		o.value('MARK_SET', _('apply firewall mark'));
 		o.value('MARK_XOR', _('XOR firewall mark'));
+		o.value('DSCP', _('DSCP classification'));
 		o.cfgvalue = function(section_id) {
 			var t = uci.get('firewall', section_id, 'target'),
 			    m = uci.get('firewall', section_id, 'set_mark');
@@ -413,9 +414,6 @@ return L.view.extend({
 		o.rmempty = false;
 		o.depends('target', 'MARK_SET');
 		o.validate = function(section_id, value) {
-			if (value == '')
-				return true;
-
 			var m = String(value).match(/^(0x[0-9a-f]{1,8}|[0-9]{1,10})(?:\/(0x[0-9a-f]{1,8}|[0-9]{1,10}))?$/i);
 
 			if (!m || +m[1] > 0xffffffff || (m[2] != null && +m[2] > 0xffffffff))
@@ -429,9 +427,6 @@ return L.view.extend({
 		o.rmempty = false;
 		o.depends('target', 'MARK_XOR');
 		o.validate = function(section_id, value) {
-			if (value == '')
-				return true;
-
 			var m = String(value).match(/^(0x[0-9a-f]{1,8}|[0-9]{1,10})(?:\/(0x[0-9a-f]{1,8}|[0-9]{1,10}))?$/i);
 
 			if (!m || +m[1] > 0xffffffff || (m[2] != null && +m[2] > 0xffffffff))
@@ -440,6 +435,44 @@ return L.view.extend({
 			return true;
 		};
 
+		o = s.taboption('general', form.Value, 'set_dhcp', _('DSCP mark'), _('Apply the given DSCP class or value to established connections.'));
+		o.modalonly = true;
+		o.rmempty = false;
+		o.depends('target', 'DSCP');
+		o.value('CS0');
+		o.value('CS1');
+		o.value('CS2');
+		o.value('CS3');
+		o.value('CS4');
+		o.value('CS5');
+		o.value('CS6');
+		o.value('CS7');
+		o.value('BE');
+		o.value('AF11');
+		o.value('AF12');
+		o.value('AF13');
+		o.value('AF21');
+		o.value('AF22');
+		o.value('AF23');
+		o.value('AF31');
+		o.value('AF32');
+		o.value('AF33');
+		o.value('AF41');
+		o.value('AF42');
+		o.value('AF43');
+		o.value('EF');
+		o.validate = function(section_id, value) {
+			if (value == '')
+				return _('DSCP mark required');
+
+			var m = String(value).match(/^(?:CS[0-7]|BE|AF[1234][123]|EF|(0x[0-9a-f]{1,2}|[0-9]{1,2}))$/);
+
+			if (!m || (m[1] != null && +m[1] > 0x3f))
+				return _('Invalid DSCP mark');
+
+			return true;
+		};
+
 		o = s.taboption('general', form.ListValue, 'set_helper', _('Tracking helper'), _('Assign the specified connection tracking helper to matched traffic.'));
 		o.modalonly = true;
 		o.placeholder = _('any');
@@ -481,6 +514,47 @@ return L.view.extend({
 			return true;
 		};
 
+		o = s.taboption('advanced', form.Value, 'dscp', _('Match DSCP'),
+			_('Matches traffic carrying the specified DSCP marking.'));
+		o.modalonly = true;
+		o.rmempty = true;
+		o.placeholder = _('any');
+		o.value('CS0');
+		o.value('CS1');
+		o.value('CS2');
+		o.value('CS3');
+		o.value('CS4');
+		o.value('CS5');
+		o.value('CS6');
+		o.value('CS7');
+		o.value('BE');
+		o.value('AF11');
+		o.value('AF12');
+		o.value('AF13');
+		o.value('AF21');
+		o.value('AF22');
+		o.value('AF23');
+		o.value('AF31');
+		o.value('AF32');
+		o.value('AF33');
+		o.value('AF41');
+		o.value('AF42');
+		o.value('AF43');
+		o.value('EF');
+		o.validate = function(section_id, value) {
+			if (value == '')
+				return true;
+
+			value = String(value).replace(/^!\s*/, '');
+
+			var m = value.match(/^(?:CS[0-7]|BE|AF[1234][123]|EF|(0x[0-9a-f]{1,2}|[0-9]{1,2}))$/);
+
+			if (!m || +m[1] > 0xffffffff || (m[2] != null && +m[2] > 0xffffffff))
+				return _('Invalid DSCP mark');
+
+			return true;
+		};
+
 		o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
 			_('Passes additional arguments to iptables. Use with care!'));
 		o.modalonly = true;