Hi, I'm trying to include a custom nftables rule in fw4 config.
config include
option type 'nftables'
option path '/root/fw/sshlimit.nft'
option position 'chain-pre'
option chain 'forward_wan'
# cat /root/fw/sshlimit.nft
tcp dport 22 meter sshlimit { ip saddr timeout 60s limit rate over 1/minute burst 3 packets} counter drop comment "custom: sshlimit"
The first time I reload rules, the configuration is reloaded fine. Then, If I reload again the configuration, I get this error :
In file included from /dev/stdin:52013:3-34:
/root/fw/sshlimit.nft:1:14-92: Error: Could not process rule: Resource busy
tcp dport 22 meter sshlimit { ip saddr timeout 60s limit rate over 1/minute burst 3 packets} counter drop comment "custom: sshlimit"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It seems at each reload, the include statement is added again and again. When generating the nft configuration with
ACTION=start utpl -S /usr/share/firewall4/main.uc
I see a duplicate line at each reload.
...
chain forward_wan {
include "/root/fw/sshlimit.nft"
include "/root/fw/sshlimit.nft"
include "/root/fw/sshlimit.nft"
meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
...
ditto in the json file /tmp/run/fw4.state
...
"includes": [
{
"enabled": true,
"path": "/root/fw/sshlimit.nft",
"type": "nftables",
"fw4_compatible": true,
"position": "chain-prepend",
"chain": "forward_wan"
},
{
"enabled": true,
"path": "/root/fw/ipset.nft",
"type": "nftables",
"fw4_compatible": true,
"position": "chain-prepend",
"chain": "forward_lan"
},
...
Is it a bug ?