fw4 doesn't reset tables beside fw4

openwrt / firewall4

[MIRROR] OpenWrt nftables firewall

https://git.openwrt.org/?p=project/firewall4.git;

17 stars 13 forks source link

fw4 doesn't reset tables beside fw4 #19

Closed moritori closed 10 months ago

moritori commented 10 months ago

I'm trying to add the following fragment

table bridge fw4 {
        chain mangle_prerouting {
                type filter hook prerouting priority -150; policy accept;
                iifname "phy0-ap0" meta mark set 0x00000001
        }
}

to some file in /usr/share/nftables.d/ruleset-post/example.nft.

This include is then properly loaded, however fw4 doesn't seem to reset any other table besides fw4.

This leads to the situation that the rule iifname "phy0-ap0" meta mark set 0x00000001 is added again and again.

brada4 commented 10 months ago

You have to flush your table in your script

#!/usr/sbin/nft -c -f
table bridge fw4 
flush table bridge fw4
table bridge fw4 { chain ...

moritori commented 10 months ago

Thanks. This does in fact work! The file is then not automatically placed into the backup, but I can create a custom file under /lib/upgrade/keep.d or in /etc/sysupgrade.conf to accomplish that.

brada4 commented 10 months ago

Confirm you found correct way to preserve customized "system" files. keep.d is for packages, but will work either way.