22.03.0: custom chains missing, how-to?

After upgrading my WRT3200ACM I miss the custom chains in fw4.

Setting option custom_chains in firewall default section did not bring them up. I now tried to create them myself by using an include script, but this is the best I achieved:

I would appreciate if the custom_chain would be placed after the flow table rule or even after the related,established rule.

How do I achive this?

mkdir -p /usr/share/nftables.d/table-pre
echo 'chain custom_forward {}' > /usr/share/nftables.d/table-pre/90_custom_chain.nft

mkdir -p /usr/share/nftables.d/chain-pre/forward
echo 'jump custom_forward' > /usr/share/nftables.d/chain-pre/forward/90_link_custom_chain.nft

fw4 reload

The first include will just declare an empty custom_forward chain, you could add further chains, arbitrary rules etc there. It will be included before the first chain declaration in table inet fw4.

The second include will be placed between the flow table rule and the established,related one (this is fixed). It will simply inject a jump rule into your custom chain. You can repeat that approach for other chains (such as input, output, srcnat, dstnat etc.) to hook further custom chains elswhere.

1 Like

Thank you @jow

I currently try to get the bcp38 package running which is not migrated to fw4 yet. I thought about volunteering a bit. :wink:

In fw3 the bcp38 rules have been placed in custom chains and being processed very early. I see that with this I can set up a similar configuration in fw4.
But I struggle at the moment with the (old) bcp38 script removing the rules in case the filter is disabled in the UI and not triggering a reload of all firewall rules. As I understand, deleting rules is complicated in nftables.
I see two options:

  • trigger a fw4 reload on saving bcp38 configuration in UI, but also I need to ensure the custom chains are available
  • place the bcp38 filter rules in there own base chains (in table fw4) processed before the fw4 standard chains.
    Second option would allow to remove the complete chains on disabling bcp38 filter in UI without restarting firewall.

I read about tables, chains and flow offload but the one question I haven't found an answer for:

Flow table path checking is done before the hooks on the netfilter forward and if it is matched and the packet goes flow fast path ... it won't be seen by any of the netfilter input, forward and output hooks. Correct?
So what is the 'Utilize flow table' entry for? Is this just for adding valid packet rules for flowtable inside the chain to flow table?
In this case adding another hook for filtering before the standard hook would not interfere with flow-offload?