[Solved] How to make nftables changes stay?

I have some static port forwarding rules in the GUI, but also before the latest upgrade (OpenWrt 22.03) I would add/update dynamic iptable rules (via CLI) and that worked well. Now my sets and new chains stay but edits to chains made by openwrt are lost after a few days.

# the following works:
nft add chain inet "fw4" "example" 
nft add rule inet "fw4" "example" counter return

# the following works for a few days then disappears
# (H=2166 or the like): 
nft insert rule inet "fw4" "forward_lan" position "$H" jump "example" 

I found

/etc/nftables.d/10-custom-filter-chains.nft
/usr/share/nftables.d/README

but those can't edit a chain...

Am I expected to put my rules in some file?
or is there some hook to register with?
or some script to edit?
Also why is openwrt re-building the chains without any logins or reboots?

Include custom chains:
/usr/share/nftables.d/table-pre/*.nft

Include rules at end of forward_lan chain:
/usr/share/nftables.d/chain-post/forward_lan/*.nft

See https://openwrt.org/docs/guide-user/firewall/firewall_configuration#drop-in_includes_for_package_authors

Thanks for the quick reply jow, I'll try

/usr/share/nftables.d/chain-pre/forward_lan/example.nft

(appending to forward_lan would not work for me as it's full of "accept" lines and I'm adding "reject" lines)

I'd also suggest appending /usr/share/nftables.d/chain-pre/ to /etc/sysupgrade.conf (or LuCI System -> Backup/Flash Firmware -> Configuration tab) so that system upgrades don't delete your changes.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.