I'm new to OpenWRT. I want to add a firewall rule that allows UDP traffic from the WAN gateway to the OpenWRT router. Seems like a simple matter of a few lines in /etc/firewall.user. Thus, the contents of my firewall.user are as follows:
What dumb thing am I doing wrong? Is there something in my firewall.user that doesn't work in the boot context? If there are errors encountered in firewall.user during boot, in which log would I find that information? I'm not seeing anything in syslog.
Yes, that does appear to be the culprit. If I remove the call to network_get_gateway and provided a hard coded IP, I see the rule applied out of reset.
I'll reevaluate if I really need the -s $wan_gateway constraint.
I thought about that, but I then the rule would be repeatedly added on every reload, right? I mean, does a reload clear out the input_wan_rule table of any existing rules before executing firewall.user? Would I need to deal with that in my firewall.user?
I went ahead and tried setting option reload '1' on firewall.user. It does result in duplicate rules, but simply flushing input_wan_rule seems innocuous enough to me for my situation:
Thanks for that idea, but it did not appear to work for me. The 30s timeout must have elapsed before the interface came up. I'm guessing the interface gets brought up by a separate thread during boot? Perhaps a longer timeout would do the trick, but I think in a case where the WAN interface is brought up/down after boot this approach would not always yield the desired outcome.
If I'm interpreting @anon50098793 correctly, the firewall is reloaded whenever an interface is brought up, so I think option reload '1' and the table flush may be the most robust solution for my specific case.