Why do rules disappear from the nft table a few minutes after running my shell script, even though they are initially added successfully?

Openwrt version 22.03.03

I've created a shell script as shown below, intending to add rules to the nft table. However, a few minutes after executing the script, the rules disappeared despite having been successfully added to the nft table initially.

vi /etc/keepalived/nft3.sh

#!/bin/sh
sleep 20  
nft insert rule inet fw4 input_wan ip saddr 1.1.1.1 tcp dport 18023 counter accept
nft insert rule inet fw4 input_wan ip saddr 2.2.2.2 tcp dport 18023 counter accept
  1. Is it possible that the firewall resets its corresponding nft table periodically?

  2. I suspect that since running keepalived (vrrp), the firewall might be resetting the nft table during a Master<>Backup switch.

What could be a reason? How can I prevent the resetting the nft table?

Thank a lot

Create the proper include section or better use the UCI syntax for your rules.

2 Likes

Confirmed, when using keepalived and the node switches to the Master status, the Master will reset its firewall. In this situation, how do I prevent the firewall from being reset?

Thank you for your suggestion. Are you suggesting that I should avoid using this kind of nft command line, and instead use uci or the section you mentioned above? I can confirm that when using keepalived and the node switches to the Master status, the Master node will reset its firewall. I'm not sure how to create a proper above section.

uci -q delete firewall.kalive
uci set firewall.kalive="rule"
uci set firewall.kalive.name="Allow-Keepalived"
uci set firewall.kalive.src="wan"
uci add_list firewall.kalive.src_ip="1.1.1.1"
uci add_list firewall.kalive.src_ip="2.2.2.2"
uci set firewall.kalive.dest_port="18023"
uci set firewall.kalive.proto="tcp"
uci set firewall.kalive.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
3 Likes