How to run /etc/firewall.user after specific service (TUN-based proxy) start/restart? (fw4, OpenWrt 24.10.x)

Hi, community!

I’m running a proxy service on OpenWrt 24.x which:
• creates a TUN interface
• dynamically sets up its own nftables table and chains on start/restart

I have a script in /etc/firewall.user that adds additional rules to those chains.
The script works flawlessly when executed manually after the service has started, but I’m struggling to run it automatically. I’ve already tried procd trigger, service hook, hotplug with no luck(

It must run after every start/restart of this specific service, once the TUN interface and nft tables already exist

I want to avoid modifying the service’s own /etc/init.d/ script.

What is the proper, supported OpenWrt (fw4) way to automatically execute /etc/firewall.user after a given service starts or restarts?

Place it in a separate firewall zone and apply rules there. firewall,user disappeared in OpenWrt 22

You probably want both scenarios, running on service start/stop and on firewall restart.

For this approach we created a common script that can be called by both the main service init script, and also added a script include entry into the firewall config.

I know you said you don’t want to modify the init but this is really the most robust way to do it. It also moves you away from firewall.user.