[PATCH firewall4] ruleset: add missing pre_* chains

Jo-Philipp Wich jo at mein.io
Wed May 18 06:38:26 PDT 2022


can't you do the same by dropping a snippet into /etc/nftables.d/ which simply
registers chain with lower priority hooks? In fact there already is an example

So in order to achieve what you want, create an
`/etc/nftables.d/10-pre-chains.nft with the following contents:

-- 8< --
chain pre_input {
  type filter hook input priority -1; policy accept;

chain pre_forward {
  type filter hook forward priority -1; policy accept;

chain pre_output {
  type filter hook output priority -1; policy accept;
-- >8 --

Since nftables makes it easy to have many hooks, I doubt that such a generic,
mostly unused facility is needed at all. If your package/process/use case
requires staging custom rules before the default ones, drop a partial into
/etc/nftables.d/ which declares own chains with lower priority hooks along
with the rules you need.

~ Jo


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20220518/37d668f4/attachment.sig>

More information about the openwrt-devel mailing list