In the docs, there is still inconsistent info about it:
Pls, update,if possible.
OR, much better, re-implement it. Using hotplug-event would be an elegant solution to re-establish custom routes from rc.local, which actually are wiped out in case of firewall restart.
2021/03/05 01:00 Show differences to current revisions Hotplug – [How it works] add firewall vgaetera
@vgaetera there are no ubus callbacks on firewall events (?to log a packet?)
Paragraph for “firewall” hotplug.
## firewall
firewall3 implements hotplug events when ruleset is partially re-loaded, while firewall4 (OpenWrt 22.03 and later) does not. Similar functionality can be achieved via includes // https://openwrt.org/docs/guide-user/firewall/firewall_configuration#includes_2203_and_later_with_fw4
Linked documentation may need some refresh too…
Hm …. I used includes for nft-rules, but how do they work to re-establish custom routes after being wiped clean because of fw4-restart ? I thought, the includes have to be nft-cmd style only.
You can create an include in the firewall config file that is a script type versus an nft command file.
firewall does not manipulate routes, it reloads on netdev hotplugs (fw4 in full fw3 per zone)
Yep. You got it. That solves the problem:
config include #In /etc/config/firewall
option enabled 1
option type 'script'
option path '/etc/setup/myprivateroute'
option fw4_compatible 1
echo /etc/setup/myprivateroute >> /etc/sysupgrade.conf
Unfortunately, using include in /etc/config/firewall, setting up custom routing table, does not always work for me. I suspect, from time to time it might interfere with routing mods, done behind the curtain, when network restarted. Which happens several times during startup in my case.
One more neg. effect of the non-deterministic startup procedure.
However, now my walk-around is to use /etc/hotplug.d/iface/myroutingscript.sh .
More stable solution. Knock on wood.
You can set up routes via luci bringing up some interface, or use pbr for more control.
Custom image. No LuCI.
My very first approach was simply to include the following 3 lines at end of rc.local:
sleep 60 #Something smarter, in fact
sh /etc/myroutingscript.sh
hev-socks5-tproxy /etc/hev-socks5-tproxy/main.yml
Worked. Until next restart of network, because my routing mods dropped.
myroutingscript.sh only contains 2 lines:
ip rule add fwmark 1088 table 100
ip route add local default dev lo table 100
I had a very first look at PBR. But seems rather complicated for this simple requirement. BTW, it might be good idea, on network restart to leave custom mods (i.e. in routing) still intact.
OK, type up routing table entries using uci network.
#/etc/config/network
config rule
option lookup '100'
option mark '1088'
config route
option interface 'loopback'
option type 'local'
option target '0.0.0.0/0'
option table '100'
Thanx from Burgas for the translation 
I hope you enjoy the Black Sea 
Yep. For 5 years already living in Lazur. 10minutes walk to my favourite beach bar, Caribe. Only during wintertime relocating to Asia. You are welcome for a beer
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.