Firewall writing help

skveen · January 11, 2024, 3:42am

HELLO
Currently I have the following command executed using sh script
nft insert rule inet fw4 mangle_prerouting ip saddr 192.168.1.0/24 meta mark set 10 counter
Now I want to merge it into /etc/nftables.d/test.conf
How do I need to write it?

I tried the following but failed when restarting the firewall：

chain mangle_prerouting {
	 ip saddr 192.168.1.0/24 meta mark set 10 counter
	}

Thanks!

pavelgl · January 11, 2024, 8:02am

mkdir -p /usr/share/nftables.d/chain-pre/mangle_prerouting
echo "ip saddr 192.168.1.0/24 meta mark set 10 counter" > /usr/share/nftables.d/chain-pre/mangle_prerouting/10-my_mangle_rule.nft
fw4 restart

To review the other available options:

https://openwrt.org/docs/guide-user/firewall/firewall_configuration#includes_2203_and_later_with_fw4

frollic · January 11, 2024, 8:04am

nm, misread

pavelgl · January 11, 2024, 8:07am

It has always worked for me, and fw4 reload != fw4 restart

frollic · January 11, 2024, 8:08am

good point, didn't spot the difference.

please disregard.

skveen · January 12, 2024, 1:52am

Yes,it is working

But I have other chain and rules
Such as srcnat_wan/input_wan , it seems that it cannot be placed in this directory.

If this is the case, it is better to just use the sh script, otherwise it will be too scattered and difficult to manage.