[PATCH firewall4] ruleset: add missing pre_* chains

Florian Eckert fe at dev.tdt.de
Wed May 18 05:26:19 PDT 2022


There is the option to add a user change, but if the rule applies, the
fw4 rules are still processed. This is because these chains are
top-level chains that only have a different priority.

This priority indicates whether they are processed before or after the
fw4 chains.

So that rules can also be processed in the context of the fw4 and are
not passed on to the next toplevel chain in the event of an apply. The
rule must be processed in the context of the fw4 tables. This commit
adds a pre chain for input, output and forward.

Firewall rules, that are not handeled by the fw4  can then be hooked into
this, which are then processed in the context of the fw4 and are thus
allowed through by the fw4 in the event of an accept.

Signed-off-by: Florian Eckert <fe at dev.tdt.de>
(cherry picked from commit 596f9f7973560210a8ccf386d7017aaa07ea77d2)
---
 root/usr/share/firewall4/templates/ruleset.uc | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 0142d5a..79401d2 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -67,11 +67,16 @@ table inet fw4 {
 	# Filter rules
 	#
 
+	chain pre_input {
+
+	}
+
 	chain input {
 		type filter hook input priority filter; policy {{ fw4.input_policy(true) }};
 
 		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
+		jump pre_input
 		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
 {% if (fw4.default_option("drop_invalid")): %}
 		ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
@@ -90,9 +95,14 @@ table inet fw4 {
 {% endif %}
 	}
 
+	chain pre_forward {
+
+	}
+
 	chain forward {
 		type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }};
 
+		jump pre_forward
 {% if (length(flowtable_devices) > 0): %}
 		meta l4proto { tcp, udp } flow offload @ft;
 {% endif %}
@@ -111,11 +121,16 @@ table inet fw4 {
 {% endif %}
 	}
 
+	chain pre_output {
+
+	}
+
 	chain output {
 		type filter hook output priority filter; policy {{ fw4.output_policy(true) }};
 
 		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
+		jump pre_output
 		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
 {% if (fw4.default_option("drop_invalid")): %}
 		ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
-- 
2.30.2




More information about the openwrt-devel mailing list