firewall4: loopback device is ACCEPTED before include chain-prepend input
Florian Eckert
fe at dev.tdt.de
Wed Sep 6 05:25:21 PDT 2023
Hello,
I have a use case, where I want to add rules via the firewall include
feature, because this could not be modulated via the fw4 feature set.
That could be done, if we add the rules into the directory
`usr/share/nftables.d/chain-pre/input/` [1], because I need this rules
in the input change.
This rules get loaded via fw4 and where added correctly.
If I look closer into the code, then I see that packages that are for
the loopback interface always get accepted before the include rules gets
checked [2].
But I need also this custom rule check via the include feature of the
fw4 for the loopback interface.
Is there a reason why this decision was made, to add the custom include
after the loopback interface?
Or could we move the include before the loopback check?
Best regards
Florian
[1]
https://git.openwrt.org/?p=project/firewall4.git;a=blob;f=root/usr/share/firewall4/templates/ruleset.uc;h=7bd930937600f67488c4543cd1bfb6493e23b018;hb=HEAD#l102
[2]
https://git.openwrt.org/?p=project/firewall4.git;a=blob;f=root/usr/share/firewall4/templates/ruleset.uc;h=7bd930937600f67488c4543cd1bfb6493e23b018;hb=HEAD#l100
More information about the openwrt-devel
mailing list