A couple of notes for you.
First, typically, you will get more responses to specific questions in the 'Installing and Using OpenWrt' section of the forum.
As to your specific question about the code in the wiki. Essentially, by default, OpenWrt has a rule which allows established/related connections. The first portion of the code you linked to saves existing rule (if any) for that. The command
RJ_RULE="$(nft -a list chain inet fw4 forward \
| sed -n -e "/\shandle_reject\s/p")"
appears to be saving the 'reject' rule which seems to have the tag 'handle_reject' (I can't tell for sure whether this rule actually exists or not).
Note that nft -a
prints rules and their 'handles' which are sort of a numerical IDs for each of the current nftables rules. The handle is the last whitespace-separated string in each line, so ${RJ_RULE##* }
extracts that string. When deleting rules, you address them by the handle. When inserting or adding rules, you can optionally specify their position using the handle of an existing rule.
nft delete rule inet fw4 forward handle ${ER_RULE##* }
removes the rstablished/related connections rule, then this code:
if [ -n "${RJ_RULE}" ]
then nft insert rule inet fw4 forward position ${RJ_RULE##* } ${ER_RULE}
else nft add rule inet fw4 forward ${ER_RULE}
fi
recreates it in a specific position. The position of the rule matters because nftables (the firewall backend) processes rules sequentially.
To me it looks like the code assumes the existence of established/related rule and may work incorrectly if that rule does not exist.
There is some more nuance there related to the UCI commands.
To my understanding, you are expected to copy-paste the whole code block into the terminal and hope that it works. Otherwise you could create the file /etc/nftables.d/estab.sh
and copy-paste the lines
ER_RULE="$(nft -a list chain inet fw4 forward \
| sed -n -e "/\sestablished,related\saccept\s/p")"
RJ_RULE="$(nft -a list chain inet fw4 forward \
| sed -n -e "/\shandle_reject\s/p")"
nft delete rule inet fw4 forward handle ${ER_RULE##* }
if [ -n "${RJ_RULE}" ]
then nft insert rule inet fw4 forward position ${RJ_RULE##* } ${ER_RULE}
else nft add rule inet fw4 forward ${ER_RULE}
fi
into it, then run the commands:
uci set firewall.estab="include"
uci set firewall.estab.path="/etc/nftables.d/estab.sh"
uci commit firewall
service firewall restart
@slh would be nice if someone with wiki editing rights could use some of the above explanation to improve the wiki page