It would be nice to have a way to select multiple source zones in luci-firewall port forward. It would avoid to duplicate rules to just change the source zones.
How do you guess to which zone connection should go if there are multiple targets?
1 Like
My bad. I meant multiple zone for source only.
Sorry but you should get back to your drawing board, and carefully reconsider what you ask for. This request cannot be implemented.
Extremely helpful 
, thanks
If luci/uci has decided that there must be 1:1 for zones and nft rules that's an implementation decision and I can just live with that.
But of course If I have two exactly rules differing only the source zone, I could also have a single one "exploding" internally into multiple nft rules. That's just a developing decision. So that sentence "you should get back to your drawing board and carefully reconsider what you ask for." could have been omitted.
The problem is nobody wants to touch fw3 which is still required to drive some ancient xt modules in use. i.e redefine source option as list in both firewalls, then promote to luci.
This is the kind of useful reply.
Thanks!
- So what prevents you (i.e., the user) from making the 2 rules that match 1:1 paradigm - instead of wanting the OpenWrt developers to parse and make "logically truncated" rules that don't match the underlying system?
- Perhaps you can explain the case where one makes 2 zones, but then intend for them to have the same rules (without advanced Routing Policies)?
I only ask because (as you may note) - the poster in the linked thread ended up needing 0 rules to accomplish their goal. So I merely ask out of curiosity and edification.
And only the UCI is keeping track of rules?
- I see a vector for a malicious actor to unknowingly inject rules (i.e. add a zone to an existing Port Forward, especially for users who sometimes write their own NFT rules and don't like UCI/LuCI)
- Your rules by another name are called "redirects" - it's possible [even if by accident] to make incorrect rules that have redirect loops and DoS yourself (e.g. a port forward from WAN to LAN zone - a port forward from LAN to LAN IP
Blockquote
So what prevents you (i.e., the user) from making the 2 rules that match 1:1 paradigm - instead of wanting the OpenWrt developers to parse and make "logically truncated" rules that don't match the underlying system?
Nothing at all, I was just thinking as an improvement.
Blockquote
Perhaps you can explain the case where one makes 2 zones, but then intend for them to have the same rules (without advanced Routing Policies)?
Let's say I have 5 zones and I want that for 2 of them, for example IoT and guests, all the dns queries directed to wan be redirect to the openwrt device. Currently I would have two create 2 rules, I was just thinking that it could be only one.
Blockquote
And only the UCI is keeping track of rules?
I see a vector for a malicious actor to unknowingly inject rules (i.e. add a zone to an existing Port Forward, especially for users who sometimes write their own NFT rules and don't like UCI/LuCI)
Your rules by another name are called "redirects" - it's possible [even if by accident] to make incorrect rules that have redirect loops and DoS yourself (e.g. a port forward from WAN to LAN zone - a port forward from LAN to LAN IP
Understand your point.
For the last 15 years I have been creating my own rules in openwrt disabling its firewall by default, but now I have decided to give a try to it and the luci interface.
Definitely I can add multiple rules to a webinterface 
1 Like