You cannot use UCI in firewall includes!

xiaobo · April 5, 2026, 2:36pm

#  /etc/config/firewall
config include
	option	enabled		1
	option	type		'uci'
	option	path		'/etc/config/firewall.d/User-Allow-WireGuard'

# /etc/config/firewall.d/User-Allow-WireGuard
config rule
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '53260'
        option proto 'udp'
        option target 'ACCEPT'

You cannot use UCI in firewall includes!
Include '/etc/firewall.user' failed with exit code 1

The /etc/config/firewall file contains numerous rules, and its content is becoming increasingly voluminous. Therefore, it is recommended to split the proposed new feature into multiple files for easier organization and management.
It is recommended to refer to the configuration file management of nginx/conf.d, which is elegant and concise.

psherman · April 5, 2026, 2:41pm

This is documented and by design.

The UCI firewall configuration in /etc/config/firewall covers a reasonable subset of NetFilter rules, but not all of them

To provide more functionality, includemechanisms are available.

You can either include a shell script with nftables commands, or include nftables snippets at different locations.

efahl · April 5, 2026, 2:55pm

Yeah, works great if you add the proper parameters:

$ grep include /etc/config/firewall  -A4
config include
        option enabled '1'
        option type 'script'
        option path '/etc/firewall.user'
        option fw4_compatible '1'

$ cat /etc/firewall.user
#!/bin/sh

handle=$(nft -a list chain inet fw4 input_wan | awk '/jump reject_from_wan /{print $(NF)}')
echo "jump rule handle=$handle"
nft insert rule inet fw4 input_wan position $handle 'tcp dport 22 counter accept comment "DANGER allow WAN SSH, see /etc/firewall.user"'

dave14305 · April 5, 2026, 9:36pm

It should just be another rule in the config file, no need for an include.

krazeh · April 6, 2026, 12:29pm

Who is recommending this?

krazeh · April 6, 2026, 12:47pm

So there’s no recommendation then. There’s a request from ‘some’ users (or is that just you?).

You are always free to amend the code to alter how include files work and then submit a pull request to have it added.

psherman · April 6, 2026, 2:07pm

This doesn’t seem to be a real recommendation from any actual users.

That said, it is recommended to refer to the documentation (to which I linked earlier) because it does specify how the includes are intended to be used.

The issue encountered here is simply that the entries in your includes files was not valid - a fact that is confirmed by the documentation.