firewall4, the wiki, etc.
Jonas Lochmann
openwrt at jonaslochmann.de
Sun Apr 26 22:20:03 PDT 2026
Am Sat, Apr 25, 2026 at 06:16:54PM -0600, schrieb Philip Prindeville via openwrt-devel:
> Dynamically adding rules via shell scripts was trivial (with firewall3) as you could (for example) tack them onto the end of existing rules via `iptables -A input_wan_rule ...` for instance.
Same with firewall4. You just use the nft util.
> I currently use xt_asn and xt_geoip ipsets, in addition to CIDRs that I know are hostile. There's no easy way to integrate that with firewall4, i.e. it's harder to add to an existing canned chain in nftables it seems.
This methods are questionable and you most likely have to
convert this databases into IP ranges first.
> So what about stub hooks like:
>
> chain input_wan {
> jump input_wan_hook
> ...
> }
>
> And then generating an empty "input_wan_hook" that a script could redefine?
This is possible with the firewall4 hooks.
> Maybe there's an easy way to do this with the existing code, but I didn't find it. Like I said, the wifi docs on firewall4 are a little thin.
The current limitation of firewall4 is that snippet hooks
support the atomic rule updates of nftables while script
hooks do not. But as atomic rule updates were impossible
with fw3 too, that most likely does not matter for you.
More information about the openwrt-devel
mailing list