[PATCH firewall4] ruleset: add missing pre_* chains
Jo-Philipp Wich
jo at mein.io
Wed May 18 06:38:26 PDT 2022
Hi,
can't you do the same by dropping a snippet into /etc/nftables.d/ which simply
registers chain with lower priority hooks? In fact there already is an example
[1].
So in order to achieve what you want, create an
`/etc/nftables.d/10-pre-chains.nft with the following contents:
-- 8< --
chain pre_input {
type filter hook input priority -1; policy accept;
}
chain pre_forward {
type filter hook forward priority -1; policy accept;
}
chain pre_output {
type filter hook output priority -1; policy accept;
}
-- >8 --
Since nftables makes it easy to have many hooks, I doubt that such a generic,
mostly unused facility is needed at all. If your package/process/use case
requires staging custom rules before the default ones, drop a partial into
/etc/nftables.d/ which declares own chains with lower priority hooks along
with the rules you need.
~ Jo
1:
https://git.openwrt.org/?p=project/firewall4.git;a=blob;f=root/etc/nftables.d/10-custom-filter-chains.nft;h=4cb421308f2f8b084add77fc51f8430596d83abf;hb=b2682251a173103490a4a2556fb87e4df1d627b3#l8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20220518/37d668f4/attachment.sig>
More information about the openwrt-devel
mailing list