Blacklist 'wan' zone and allow the others using DNS (bug?)

My OpenWrt device acts as a DNS server. It has multiple firewall zones, and most of them are configured with option input 'REJECT'. I want to allow all but ‘wan’ zone to access DNS service at port 53.

config rule 'drop_dns_wan_localhost' # blacklist the 'wan' zone
	option name 'Drop DNS from WAN to LOCALHOST'
	option enabled '1'
	option target 'DROP'
	option family 'any'
	list proto 'tcp'
	list proto 'udp'
	option src 'wan'
	option dest_port '53'

config rule 'accept_dns_any_localhost' # then enable DNS for the others
	option name 'Accept DNS from ANY to LOCALHOST'
	option enabled '1'
	option target 'ACCEPT'
	option family 'any'
	list proto 'tcp'
	list proto 'udp'
	option src '*'
	option dest_port '53'

I am being bombarded with DNS amplification attack from the Internet:

image1183×890 56.7 KB

The order of rules seems alright. Is this a bug?

I am not 100% sure but just check with:

nft list ruleset

I think no zone trumps a specific zone.

In this case, the order doesn't help, as option src '*' takes precedence.

The first rule is created in the input_wan chain, while the second is created in the main input chain, before the jump input_wan statement.

I’ve checked and it is exactly as you said. Thank a lot.

Is it a bug? They are both classified as rule. Or are OpenWrt developers really expect the end users to inspect nft ruleset to double check what kind of configurations are being generated?

I am not a normal user by any chance. Even then, my knowledge has not reached the point where I can navigate iptables/nftables comfortably. That’s why I (and many people out there) use fw3/fw4. But now it technically forces the users to go back to read nftable.