[PATCH firewall4] fw4: add support for include.d dir
Jo-Philipp Wich
jo at mein.io
Fri Jul 22 07:59:03 PDT 2022
Hi,
instead of introducing uci includes that configure nft includes, why not
encode the chain/position etc. values directly into the path/filename and
directly include the file if it exists at the expected location?
A potential pattern could be
"[0-9][0-9]_{ruleset_pre,ruleset_post,table_pre,table_post,chain_pre_*,chain_post_*}_*.nft".
Taking the example from your mail, these *.nft includes would be stored at
/usr/share/firewall4/include.d/01_chain_pre_input_strongswan.nft
/usr/share/firewall4/include.d/02_chain_pre_output_strongswan.nft
/usr/share/firewall4/include.d/03_chain_pre_forward_strongswan.nft
Alternatively, the hooks could be moved into a subdirectory structure for
better clarity:
/usr/share/firewall4/includes.d/
+ ruleset-pre/
+ 99_custom_named_set_declarations.nft
+ ruleset-post/
+ ...
+ table-pre/
+ ...
+ table-post/
+ ...
+ chain-pre/
+ input/
+ 29_strongswan.nft
+ output/
+ 29_strongswan.nft
+ forward/
+ 29_strongswan.nft
+ chain-post/
+ mangle_output/
+ 99_custom_dscp_fiddling.nft
(The numeric prefixes carry no semantic meaning in this structure, they'd just
be there to enforce a certain order within a given hook directory)
I think the above would be a lot more manageable since you'd just have to
place partial .nft files which are then folded into the final ruleset on fw4
start/reload.
~ Jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20220722/5c7a08fb/attachment-0001.sig>
More information about the openwrt-devel
mailing list