Option to include custom firewall rules in luci


Is there a reason why custom firewall rules can't be included in luci (stored in "/etc/confg/firewall")?

Something like this would be nice:

config include
	option type 'nftables'
	option rule 'udp port 1234 log'
	option position 'chain-prepend'
	option chain 'input_lan'

I was toying with the idea of reintroducing an equivalent to the old iptables specific extra option which allowed passing arbitrarily iptables arguments. We could introduce a new option nft … which is valid in all section types and then allow configuring it through uci.

Problem is that such an option is a loaded shotgun aimed at your feet… it is impossible to validate ui-side and entering something invalid will render the whole firewall inoperable since the ruleset cannot be loaded.


Thank you for your answer!

I've thought about the "shotgun" but wrongly assumed it would be the same fetching the nft-commands from a variable or a file.

Moreover, I guess there are many "shotguns" in any firewall-gui's

You’re right, it’s not worse than the previously existing “extra” option. Will take the time to implement this during the next few days


Is it possible to validate with "nft --check"?

1 Like

Likely, just need to see how much surrounding context is needed and how to do it in the most efficient way. You probably need to embed the rule plus custom expressions into a chain structure resembling the final ruleset structure before validating it. Custom expressions could also reference named sets and the like, so need to see

In case of any use at all, in cake-qos-simple it seemed to work nicely to create a custom nft file on the fly based on customisable variables with own table like so:

And check it before loading/unloading like so:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.