Option to include custom firewall rules in luci

rwalli · October 30, 2023, 10:16am

Hello!

Is there a reason why custom firewall rules can't be included in luci (stored in "/etc/confg/firewall")?

Something like this would be nice:

config include
	option type 'nftables'
	option rule 'udp port 1234 log'
	option position 'chain-prepend'
	option chain 'input_lan'

jow · October 31, 2023, 1:36pm

I was toying with the idea of reintroducing an equivalent to the old iptables specific extra option which allowed passing arbitrarily iptables arguments. We could introduce a new option nft … which is valid in all section types and then allow configuring it through uci.

Problem is that such an option is a loaded shotgun aimed at your feet… it is impossible to validate ui-side and entering something invalid will render the whole firewall inoperable since the ruleset cannot be loaded.

rwalli · October 31, 2023, 2:13pm

Thank you for your answer!

I've thought about the "shotgun" but wrongly assumed it would be the same fetching the nft-commands from a variable or a file.

Moreover, I guess there are many "shotguns" in any firewall-gui's

jow · October 31, 2023, 2:18pm

You’re right, it’s not worse than the previously existing “extra” option. Will take the time to implement this during the next few days

rwalli · October 31, 2023, 3:27pm

Is it possible to validate with "nft --check"?

jow · October 31, 2023, 4:05pm

Likely, just need to see how much surrounding context is needed and how to do it in the most efficient way. You probably need to embed the rule plus custom expressions into a chain structure resembling the final ruleset structure before validating it. Custom expressions could also reference named sets and the like, so need to see

Lynx · October 31, 2023, 5:24pm

In case of any use at all, in cake-qos-simple it seemed to work nicely to create a custom nft file on the fly based on customisable variables with own table like so:

github.com

lynxthecat/cake-qos-simple/blob/07ebeb5724e6a38c9bb09e943d3be24a75ea2d5a/cake-qos-simple#L137


      
          	then
          		printf "WARNING: config file ${PREFIX}/config already exists.\n"
          		printf "Saving new config file as: '${PREFIX}/config.new'.\n"
          		mv "${PREFIX}/config.tmp" "${PREFIX}/config.new"
          	else
          		printf "Saving new config file as: '${PREFIX}/config'.\n"
          		mv "${PREFIX}/config.tmp" "${PREFIX}/config"
          	fi
          }
          
          gen_nft_rules()
          {
          	load_config
          
          	printf "Generating new default nft.rules file for cake-qos-simple.\n"
          
          	mkdir -p "${PREFIX}"
          
          	cat > "${PREFIX}/nft.rules.tmp" <<-EOT
          	# cake-qos-simple nftables rules

And check it before loading/unloading like so:

github.com

lynxthecat/cake-qos-simple/blob/07ebeb5724e6a38c9bb09e943d3be24a75ea2d5a/cake-qos-simple#L61


      
          	if [[ -f "${PREFIX}/config" ]]
          	then
          		. "${PREFIX}/config"
          	else
          		printf "ERROR: no config file identified at: ${PREFIX}/config.\n"
          		printf "Generate default config using 'service cake-qos-simple gen_config'.\n"
          		exit
          	fi
          }
          
          check_nft_rules_file()
          {
          	if ! [[ -f "${PREFIX}/nft.rules" ]]
          	then
          		printf "ERROR: No nft.rules file setup at: ${PREFIX}/nft.rules.\n"
          		printf "Generate default nft.rules file using 'service cake-qos-simple gen_nft_rules'.\n"
          		exit
          	fi
          	printf "Checking validity of nft.rules file.\n"
          
          	if nft -c -f "${PREFIX}/nft.rules"

system · November 10, 2023, 5:24pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.