[PATCH firewall4] fw4: add support for include.d dir

Florian Eckert fe at dev.tdt.de
Mon Jun 27 03:59:20 PDT 2022


Creating a uci configuration is cumbersome and unmaintainable if other
packages want to use the new include feature.

If another package wants to use the include feature of fw4, it must copy
the uci configuration options to '/usr/share/firewall4/include.d'. This
include will then be used in fw4 without having to modify the uci config
under '/etc/config/firewall'.

In my case, this is about the firewall rules for the Strongswan. This
feature allows me to have the firewall add the strongswan rules on
reload or startup without having to change the firewall's uci
configuration.

Content of the include file for firewall rules needed by strongswan.
The content of the files are update by the strongswan updown script.

'/usr/share/firewall4/include.d/strongswan':
config include
        option path '/tmp/strongswan/nftables.d/pre-input.nft'
        option type 'nftables'
        option position 'chain-pre'
        option chain 'input'

config include
        option path '/tmp/strongswan/nftables.d/pre-output.nft'
        option type 'nftables'
        option position 'chain-pre'
        option chain 'output'

config include
        option path '/tmp/strongswan/nftables.d/pre-forward.nft'
        option type 'nftables'
        option position 'chain-pre'
        option chain 'forward'includes

Signed-off-by: Florian Eckert <fe at dev.tdt.de>
---
 root/usr/share/ucode/fw4.uc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 1b4764c..f46caa2 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -731,6 +731,16 @@ return {
 		//
 
 		this.cursor.foreach("firewall", "include", i => self.parse_include(i));
+		let dir = fs.opendir("/usr/share/firewall4/include.d");
+		if (dir) {
+			let file;
+			while ((file = dir.read()) != null) {
+				if ((file == '.') || (file == '..'))
+					continue;
+				this.cursor.load("/usr/share/firewall4/include.d/" + file);
+				this.cursor.foreach(file, "include", i => self.parse_include(i));
+			}
+		}
 
 
 		if (use_statefile) {
-- 
2.30.2




More information about the openwrt-devel mailing list