I've noticed that manually entered commands can disappear. For instance, the command nft insert rule inet fw4 input_wan ip saddr 1.1.1.1 tcp dport 22 counter reject has been successfully added to the nft table and effectively blocks traffic from 1.1.1.1
However, this manually entered command disappears from the nft table after a few minutes. How can I prevent the system from resetting the nft table?
I also tried as below, no useful
uci set firewall.@defaults[0].firewall_autostart=0
uci commit firewall
OpenWrt firewall expects you to create persistent rules using UCI syntax:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#rules
Reloading nftables is necessary for the proper operation of the firewall service.
Is this different from your earlier thread?
This is an alternative “include” method.
mkdir -p /usr/share/nftables.d/chain-pre/input_wan
cat >> /usr/share/nftables.d/chain-pre/input_wan/00_reject_ssh.nft <<EOF
ip saddr 1.1.1.1 tcp dport 22 counter reject
EOF
fw4 restart
Thank you for your advice, indeed using the firewall's UCI format may be a good idea, but I feel it can be a bit cumbersome. I would like also to try the method you suggested above.
Thank you for your advice and assistance
Also be sure to
echo /usr/share/nftables.d/chain-pre/input_wan/00_reject_ssh.nft >> /etc/sysupgrade.conf
so that sysupgrades retain your modifications.