Hello! I'm trying to understand the '*' wildcard in traffic rules in OpenWRT 25.12.4 Firewall (fw4).
My intent in this example is to allow zone traffic to router, but to only allow vlan99 to be able to access uhttpd port 443. My understanding is that rules happen in order, and these granular rules are rendered before the coarses zone rules, so I intend to make a "reject any" default for the uhttpd port and then place specific accept rules above it. My configuration is below:
config zone
option name 'zone99'
option input 'ACCEPT'
option output 'DROP'
option forward 'DROP'
list network 'vlan99'
config rule
option src 'zone99'
option name 'ACCEPT vlan99 to router uhttpd'
list proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
option enabled '1'
config rule
option src '*'
option name 'REJECT any to router uhttpd'
list proto 'tcp'
option dest_port '443'
option target 'REJECT'
option enabled '1'
The rendered nft ruleset is below (showing input logic only):
table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;
tcp dport 443 counter packets 2 bytes 128 jump handle_reject comment "!fw4: REJECT any to router uhttpd"
iifname "br-lan.99" jump input_zone99 comment "!fw4: Handle zone99 IPv4/IPv6 input traffic"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain input_zone99 {
tcp dport 443 counter packets 0 bytes 0 accept comment "!fw4: ACCEPT vlan99 to router uhttpd"
jump accept_from_zone99
}
chain accept_from_zone99 {
iifname "br-lan.99" counter packets 0 bytes 0 accept comment "!fw4: accept zone99 IPv4/IPv6 traffic"
}
}
It seems that the option src '*' rule was placed above the option src 'zone99' rule, I'm confused as to why and a 20 min read + search didn't yield me results.
Why does the '*' rule behave like this and how would I go about understanding the order of rules? Also, how would I achieve what I want in a simple manner? I tried negation ! but that doesn't seem to work. Thank you!