Adding several uci configs is slow

I have a custom built application that takes a large array of json objects that represent custom firewall rules that I iterate over and do a uci add/set. The problem that I'm having is this way is extremely slow with each added rule. I am familiar with a batch set in uci, but wondered if there was possibly a better solution to quickly adding uci commands in bulk. Even considering using the uci C API, but worry about spending the time on that and dealing with a similar slowness.

If you're comfortable with OpenWrt 22.03/nft why not create a file for the nft and import it in one go?

I'm not too familiar with nft, but I'll look into it as a possible solution. Thank you stangri :slight_smile:

Since you already have some uci-based rules, you can see what they generate in fw4/nftables by scanning for the name of the uci-based rule in the nft. This might give you a head start on writing your own rules...

Here's my port forward with uci-name of "SSH-into-server" (extra junk deleted for clarity):

$ cat /etc/config/firewall
config redirect
    option name 'SSH-into-server'
    option target 'DNAT'
    option src 'wan'
    option src_dport '10202'
    option dest 'lan'
    option dest_ip '10.1.1.222'
    option dest_port '22'
    list proto 'tcp'

$ nft list ruleset | grep -B3 -A3 'SSH'
    chain dstnat_lan {
        ip saddr 10.1.1.0/24 ip daddr 98.4.193.27 tcp dport 10202 dnat ip to 10.1.1.222:22 comment "!fw4: SSH-into-server (reflection)"
    }

    chain srcnat_lan {
        ip saddr 10.1.1.0/24 ip daddr 10.1.1.222 tcp dport 22 snat ip to 10.1.1.1 comment "!fw4: SSH-into-server (reflection)"
    }

    chain dstnat_wan {
        meta nfproto ipv4 tcp dport 10202 counter packets 90 bytes 5156 dnat ip to 10.1.1.222:22 comment "!fw4: SSH-into-server"
    }

Do you write the nft rules similar to iptables or is there a general config for them similar to /etc/config/firewall?

It's sort of a hodge-podge as yet, I don't think fw4's scheme is completely mature as yet. My thoughts also aren't completely formed, but it seems to me there should be a generic script executed either at the start or end of fw4 runs, allowing you to augment or modify the tables, chains, rules and sets prior to the firewall restart. Sort of like fw3's old /etc/firewall.user, but tweaked for any fw4 idiosyncrasies.

I've been using individual include files to inject my rules into already-existing chains, but it requires a bit of messing around and beware that you need to add anything you create to /etc/sysupgrade.conf to make sure it's backed up.

So I was able to solve my issue by using Lua to configure UCI as opposed to just using a shell script. The speed difference is quite noticeable even and moved all my configurations over to Lua from Shell.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.