I am trying to insert a rule to the chain reject_to_wan. From the snippets documentation, I should be able to do it by creating a file under /usr/share/nftables.d/chain-pre/reject_to_wan/log.nft.
limit rate 1/second burst 5 packets counter log prefix "reject2wan: "
When i reload the file I can seeAutomatically including '/usr/share/nftables.d/chain-pre/reject_to_wan/log.nft'
But unfortunately my chain still has only the default rule there.
chain reject_to_wan {
oifname { "pppoe-wan1", "lan4" } counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
What am i doing wrong?
efahl
May 1, 2023, 11:25pm
2
Oops, original post completely misread your post, here's a complete rewrite:
Some chains do not have %includes in them, reject_to_wan is one of them.
More details than you ever wanted...
Hi everyone!
After migrating from fw3 to fw4, I need to add custom log filters so they can be parsed by my ELK stack easily.
To do so, I've read this doc and I realized that not all chain are taken into account (or I misread the doc).
For example, I'd like to customize the drop_from_wan to log dropped packets coming from my WAN:
...
config include
option type 'nftables'
option path '/etc/test.nft'
option position 'chain-post'
option chain 'drop_from_wan'
Running fw4 does not show any…
efahl
May 1, 2023, 11:37pm
3
Here's a complete set from my notes:
There are four chain rendering sections where these calls to fw4.includes are missing:
{verdict}_from_{zone}{verdict}_to_{zone}helper_{zone}notrack_{zone}Terminal chains:handle_reject - unconditionally rendered jump-to-rulesyn_flood - conditionally rendered if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate"))
Notable: raw_prerouting has no chain-pre includes.
Solution is to put some appropriate command in /etc/firewall.user (see below), along with enabling that file in /etc/config/firewall with
config include
option enabled '1'
option type 'script'
option path '/etc/firewall.user'
option fw4_compatible '1'
Edit - I'm back with a possible insert command:
handle=$(nft -a list chain inet fw4 reject_from_wan | awk '/jump handle_reject /{print $(NF)}')
nft insert rule inet fw4 reject_from_wan position $handle ' limit rate 1/second burst 5 packets counter log prefix "reject2wan: " '
brada4
April 1, 2024, 7:43pm
4
You can change like priority raw + 10 to ensure ordering.