Creating a firewall chain using UCI

Is it possible to create a custom chain using UCI commands?

Currently, I add a chain (and its contents) using command in /etc/firewall.user, e.g.:
iptables -t filter -N limited_input && ...
And after that some my scripts "on the fly" add/modify rules using this chain by UCI, e.g. :

uci set firewall.some_rul=rule &&\
uci set firewall.some_rul.src="wan" &&\
uci set firewall.some_rul.dest_port="$PORT" &&\
uci set firewall.some_rul.proto="$PROTO" &&\
uci set firewall.some_rul.extra="-j limited_input"

But in case of firewall restarting (/etc/init.d/firewall restart) all rules that uses the limited_input chain cannot be (re)created, because file /etc/firewall.user is processed last of all and my chain doesn't exist yet.

some options;

1. dont use firewall.user
2. re-order etc config firewall
3. add your parent chain "on-the-fly" also ( or use the provided chain )
4. install miniupnpd to see how it can be achieved integral-tasticly

I am interested in a specific question: is it possible to add new chains using UCI or not?

The Wiki says firewall.user is the proper location. In addition, there's a setting custom_chains to use chains in firewall.user.

See: https://openwrt.org/docs/guide-user/firewall/firewall_configuration

Wouldn't it work to add the chain specific rules in the firewall.user file too, rather than the main firewall config?

As I said earlier, rules that use the "limited_input" chain are added/modified/deleted by scripts during operation, these rules are not permanently stored in /etc/config/firewall or in /etc/firewall.user. And it’s very convenient to manipulate these rules through UCI commands (uci revert firewall.some_rul, uci set firewall.some_rul.dest_port=...).

No, this is not possible.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.