I'm currently trying to do as much LuCI configuration as possible. My firewall rule already works if defined like this in /etc/nftables.d/xxx
define IPSET_SRCIP = {
IP1,
IP2,
Ip3,
}
chain dstnat_WAN {
ip saddr $IPSET_SRCIP tcp dport 443 counter packets 0 bytes 0 dnat ip to INTERNAL_IP:443 comment "!fw4: TCP-443"
}
I'd like to just use nftables.d to define IPSET_SRCIP and then reference this from LUCI firewall UI. Manually putting this into /etc/config/firewall does NOT work, but is my feature request at the moment.
config redirect
option dest 'LAN'
option target 'DNAT'
option name 'TCP-443'
list proto 'tcp'
option src 'WAN'
option src_dport '443'
option dest_ip 'INTERNAL_IP'
option dest_port '443'
option src_ip '$IPSET_SRCIP'
Issuing "fw4 reload" via SSH leads to this error:
Section @redirect[0] (TCP-443) option 'src_ip' specifies invalid value '$IPSET_SRCIP'
Section @redirect[0] (TCP-443) skipped due to invalid options
May this be supported in the future? I'm currently on latest snapshot, device is Xiaomi AX3600.
Thank you very much. That works fine. Can I also define the IPSET in /etc/nftables.d/xxx and then reference it from /etc/config/firewall ?
I'm asking because my IP whitelist is generated by a cron bash script and its much easier for the script to write to /etc/nftables.d/xxx.
UPDATE: I think it's this syntax. But is it also sourceIP filtered or src or dst?
set ipset_srcip {
type ipv4_addr
flags interval
auto-merge
elements = { 1.0.0.0/16, 2.0.0.0/16,
3.0.0.0/16, 4.0.0.0/16 }
}
But one PROBLEM. After "fw4 reload", it says:
Section @redirect[0] (TCP-443) references unknown set 'ipset_srcip