BlobZ
January 2, 2025, 3:26am
1
Hi there, according to 'Config include section with nftables snippets' in https://openwrt.org/docs/guide-user/firewall/firewall_configuration I can create custom insertions to add nftables rules. I tried the example in the document and it worked.
# /etc/config/firewall
config include
option type 'nftables'
option path '/etc/my_custom_firewall_rule.nft'
option position 'chain-pre'
option chain 'input_wan'
# /etc/my_custom_firewall_rule.nft
tcp dport 0-1023 log prefix "Inbound WAN connection attempt to low TCP port: "
However when I changed to chain to 'drop_from_lan' and did a fw4 reload nothing happened.
Am I missing something?
Not all chains support the include feature, especially the “verdict” to/from “zone” chains.
BlobZ
January 2, 2025, 3:42am
3
Dave14305, thanks for the speedy reply. That's a little disappointing! Any idea why they are not supported or what other chains are also not supported? I was trying to log dropped packets is there a another way to do that?
BlobZ
January 2, 2025, 3:56am
4
Never mind I found I can use the input/output_lan/wan chains. Thanks
brada4
January 2, 2025, 7:50am
5
chain_pre smiplets can be saved in /etc/nftables.d/
eg iif $wan_devices th dport le 1023 log
system
January 12, 2025, 7:51am
6
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.