How to prevent automatically resetting nftables

I've noticed that manually entered commands can disappear. For instance, the command nft insert rule inet fw4 input_wan ip saddr 1.1.1.1 tcp dport 22 counter reject has been successfully added to the nft table and effectively blocks traffic from 1.1.1.1

However, this manually entered command disappears from the nft table after a few minutes. How can I prevent the system from resetting the nft table?

I also tried as below, no useful

uci set firewall.@defaults[0].firewall_autostart=0
uci commit firewall

OpenWrt firewall expects you to create persistent rules using UCI syntax:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#rules

Reloading nftables is necessary for the proper operation of the firewall service.

3 Likes

Is this different from your earlier thread?

3 Likes

This is an alternative “include” method.

mkdir -p /usr/share/nftables.d/chain-pre/input_wan
cat >> /usr/share/nftables.d/chain-pre/input_wan/00_reject_ssh.nft <<EOF
ip saddr 1.1.1.1 tcp dport 22 counter reject
EOF
fw4 restart
1 Like

Thank you for your advice, indeed using the firewall's UCI format may be a good idea, but I feel it can be a bit cumbersome. I would like also to try the method you suggested above.

Thank you for your advice and assistance

Also be sure to

echo /usr/share/nftables.d/chain-pre/input_wan/00_reject_ssh.nft >> /etc/sysupgrade.conf

so that sysupgrades retain your modifications.

1 Like