Nft script not working

Hello
I am a newbee with Openwrt but ...
I am running Openwrt 23.05.3 on a Edgerouter X
I would like to add nft commands via a script
I add a file bridge.nft in the /etc/nftables.d directory
I paste the commands below

root@OpenWrt:/etc/config# cd /etc/nftables.d
root@OpenWrt:/etc/nftables.d# ls -l
-rw-r--r--    1 root     root          1148 Apr 26 12:50 10-custom-filter-chains.nft
-rw-r--r--    1 root     root           197 Mar 22 23:09 README
-rwxr-xr-x    1 root     root            59 Apr 26 15:29 bridge.nft
root@OpenWrt:/etc/nftables.d# cat bridge.nft
#!/bin/sh nft -f
flush ruleset
add table bridge mytable

when I do a firewall restart with /etc/init.d/firewall restart
I got these errors :

root@OpenWrt:/etc/config# /etc/init.d/firewall restart
In file included from /dev/stdin:20:2-33:
/etc/nftables.d/bridge.nft:2:1-5: Error: syntax error, unexpected flush
flush ruleset
^^^^^
In file included from /dev/stdin:20:2-33:
/etc/nftables.d/bridge.nft:3:1-3: Error: syntax error, unexpected add
add table bridge mytable
^^^
The rendered ruleset contains errors, not doing firewall restart.

I am stuck, and don't know to do, it is very simple ??

I will appreciate any help
Thanks in advance, regards

Just try

table bridge mytable {
}

You can use /etc/nftables.d only to add custom chains/rules to the inet fw4 table using the nftables output format.

For your needs, check out the fw4 includes.

If you insist on using a script, here's the right way:

rm /etc/nftables.d/bridge*

uci add firewall include
uci set firewall.@include[-1].type='script'
uci set firewall.@include[-1].path='/etc/bridge.sh'

cat << "EOF" > /etc/bridge.sh
nft flush ruleset
nft add table bridge mytable
EOF
uci commit firewall
fw4 restart

You know this will flush all firewall rules and create an empty table of bridge family, right?

Also, I assume you have the kmod-nft-bridge package installed.

1 Like

Thanks a lot, it works
I will continue ot add nft rules to be able to log trafic using the bridge ??
yes I have relayd and kmod-nft-bridge installed

Thanks again

1 Like

flush ruleset is not correct
you need to add and drop table then define full content.

ok, I will do it
thanks

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.