firewall4, the wiki, etc.
Philip Prindeville
philipp_subx at redfish-solutions.com
Sat Apr 25 17:16:54 PDT 2026
I recently upgraded the same firewall I've been using for 9 years to firewall4 and noticed that my brilliant rules in /etc/firewall.user no longer worked.
Looking to port it forward to firewall4 and nftables, I read through the wiki but most of the documentation is about firewall3 and even bits that are about firewall4 still reference iptables.
For instance:
https://openwrt.org/docs/guide-user/firewall/start
And I click on "Firewall configuration" it takes me to:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/start
Wait.. what? 24.0 and later ships with firewall4.
Dynamically adding rules via shell scripts was trivial (with firewall3) as you could (for example) tack them onto the end of existing rules via `iptables -A input_wan_rule ...` for instance.
I currently use xt_asn and xt_geoip ipsets, in addition to CIDRs that I know are hostile. There's no easy way to integrate that with firewall4, i.e. it's harder to add to an existing canned chain in nftables it seems.
So what about stub hooks like:
chain input_wan {
jump input_wan_hook
...
}
And then generating an empty "input_wan_hook" that a script could redefine?
Maybe there's an easy way to do this with the existing code, but I didn't find it. Like I said, the wifi docs on firewall4 are a little thin.
Any ideas?
Thanks
More information about the openwrt-devel
mailing list