I prefer include directories over something like /etc/firewall.user
(and other uci-configured includes) because then it is easy to amend the firewall ruleset by just placing files. Given a deep enough directory hierarchy we can also support stuff like pre
and post
includes, where the former may be useful to setup things used by other chain scoped includes later and the latter could be used to selectively flush/replace/amend parts of the default ruleset without having to patch the firewall templates or disabling the firewall service altogether.
I could imagine a hierarchy like that (the chain includes might be redundant, but I suppose they could be useful):
-
/etc/nftables.d/global-pre/
(beforetable inet fw4 { ... }
declaration) -
/etc/nftables.d/table-pre/
(before first chain declaration withintable inet fw4 { ... }
) -
/etc/nftables.d/chain-$name-pre/
(before any rule in chain$name
) -
/etc/nftables.d/chain-$name-post/
(after any rule in chain$name
) -
/etc/nftables.d/table-post/
(after last chain declaration withintable inet fw4 { ... }
) -
/etc/nftables.d/global-post/
(aftertable inet fw4 { ... }
declaration)
If we're worried about the many include .../*.nft
statements cluttering the ruleset we could only conditionally add them if we find related files in /etc/nftables.d/...
.
A call to an /etc/firewall.user
shell script could be added additionally as well, but as other have pointed out it is less useful due to the non-atomic nature.