New include directive for firewall : generate

broucari · January 9, 2017, 3:58pm

Hi,

I volonteer to implement two new directives for firewall: verbatim and generate.

The verbatim will work like #include for c. it will include other part of file in the firewall file.

The generate will be a two step

first run the command that generate a fragment of uci configuration
then load using verbatim the generated file.

This approach will have the advantage to allow easier port to nftable and moreover maybe allow modification
by luci of sqm and bcp38 rules set.

What do you think ?

Bastien

hnyman · January 9, 2017, 4:58pm

I don't understand your use case or the proposed workflow.

There are already now ways to include things from other files into the firewall config as e.g. miniupnpd and bcp38 do already now. Both use "include" config option. Bcp38 reads config from an uci config file and generates the iptables rules for firewall.

I you suggest that there should be a new "pre-uci" rule format to be converted into uci and then parsed to ip(6)tables rules in firewall config, I don't see devs really warming to the idea.

broucari · January 9, 2017, 9:21pm

the #include one will be useful for user.

the format will be uci but instead of directly run iptables script will generate uci config that are included in the main firewall file. The main advantage is the portability and the fact that luci could parse this kind of file and offer a read only view.

jow · January 10, 2017, 8:28am

@broucari - sounds useful, will check it out once you post some patches.