[PATCH firewall4] fw4: add support for include.d dir
Florian Eckert
fe at dev.tdt.de
Thu Aug 11 02:34:48 PDT 2022
Hi,
Sorry for the late reply
> instead of introducing uci includes that configure nft includes, why
> not
> encode the chain/position etc. values directly into the path/filename
> and
> directly include the file if it exists at the expected location?
I was just wondering why not use the new feature you added to give other
packages the ability to add rules to fw4. The include feature was
exactly
what was missing for fw4 to add the posibility for other package adding
firewall rules to fw4(nftables=.
> I think the above would be a lot more manageable since you'd just have
> to
> place partial .nft files which are then folded into the final ruleset
> on fw4
> start/reload.
Sorry, but I don't agree with the following reasons.
Let me briefly explain why.
All files under '/usr/share/firewall4/includes.d' are uci files. I can
see
all relevant options. I can set in the includes my own path. This is
relevant
for packages that updates the ruleset on events. If I do not want to be
this
rules persistent saved I could use a tmp file in the system
(strongswan).
Also the new include add by you already does have the state file
feature.
Which is relevant on reloading the ruleset.
In addition, it would make the ruleset.uc file confusing if I added the
same
feature again. Also, I would have to add two sections on include to
support
temporary rules, which I would not have to store under
'/usr/share/firewall4/includes.d/' but under
'/tmp/firewall4/includes.d/' for
example to support the not persistent feature.
We also use the include to add the helpers.
Last but not leased, if we now add an other possibility, then I don't
think
anyone knows where which file adds which rule!
From my point of view, it makes sense to use the include function from
you
with my extension. So I think the include feature is the better and
unified
solution.
Best Regards
Florian
More information about the openwrt-devel
mailing list