[PATCH firewall4] fw4: add support for include.d dir

Jo-Philipp Wich jo at mein.io
Fri Jul 22 07:59:03 PDT 2022


Hi,

instead of introducing uci includes that configure nft includes, why not
encode the chain/position etc. values directly into the path/filename and
directly include the file if it exists at the expected location?

A potential pattern could be
"[0-9][0-9]_{ruleset_pre,ruleset_post,table_pre,table_post,chain_pre_*,chain_post_*}_*.nft".

Taking the example from your mail, these *.nft includes would be stored at

/usr/share/firewall4/include.d/01_chain_pre_input_strongswan.nft
/usr/share/firewall4/include.d/02_chain_pre_output_strongswan.nft
/usr/share/firewall4/include.d/03_chain_pre_forward_strongswan.nft

Alternatively, the hooks could be moved into a subdirectory structure for
better clarity:

  /usr/share/firewall4/includes.d/
    + ruleset-pre/
       + 99_custom_named_set_declarations.nft
    + ruleset-post/
       + ...
    + table-pre/
       + ...
    + table-post/
       + ...
    + chain-pre/
       + input/
         + 29_strongswan.nft
       + output/
         + 29_strongswan.nft
       + forward/
         + 29_strongswan.nft
    + chain-post/
       + mangle_output/
         + 99_custom_dscp_fiddling.nft

(The numeric prefixes carry no semantic meaning in this structure, they'd just
be there to enforce a certain order within a given hook directory)


I think the above would be a lot more manageable since you'd just have to
place partial .nft files which are then folded into the final ruleset on fw4
start/reload.


~ Jo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20220722/5c7a08fb/attachment-0001.sig>


More information about the openwrt-devel mailing list