[PATCH firewall4] fw4: add support for include.d dir

Jo-Philipp Wich jo at mein.io
Fri Jul 22 07:59:03 PDT 2022


instead of introducing uci includes that configure nft includes, why not
encode the chain/position etc. values directly into the path/filename and
directly include the file if it exists at the expected location?

A potential pattern could be

Taking the example from your mail, these *.nft includes would be stored at


Alternatively, the hooks could be moved into a subdirectory structure for
better clarity:

    + ruleset-pre/
       + 99_custom_named_set_declarations.nft
    + ruleset-post/
       + ...
    + table-pre/
       + ...
    + table-post/
       + ...
    + chain-pre/
       + input/
         + 29_strongswan.nft
       + output/
         + 29_strongswan.nft
       + forward/
         + 29_strongswan.nft
    + chain-post/
       + mangle_output/
         + 99_custom_dscp_fiddling.nft

(The numeric prefixes carry no semantic meaning in this structure, they'd just
be there to enforce a certain order within a given hook directory)

I think the above would be a lot more manageable since you'd just have to
place partial .nft files which are then folded into the final ruleset on fw4

~ Jo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20220722/5c7a08fb/attachment-0001.sig>

More information about the openwrt-devel mailing list