From 1309eaaf11a8621837da4ad7c9fa5400c3731345 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= Date: Mon, 11 Mar 2024 21:51:02 +0100 Subject: [PATCH] fff-firewall: add user-customizable nftables hook MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently there is no way to persistently configure firewall rules on a router. This might be desirable as home-use of the Freifunk network is quite common these days. To allow for the most flexibility while keeping maintenance efforts low, add a persistent, user-customizable nftables hook. It is evaluated after all firewall rules have already been configured, so it is possible to override them. Users of this hook are responsible for keeping up with changes to the firmware and modify it appropriately, before updating the system. Fixes: #314 Signed-off-by: Fabian Bläse --- src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user | 1 + .../fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade | 1 + 2 files changed, 2 insertions(+) create mode 100644 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user new file mode 100644 index 00000000..856459e8 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user @@ -0,0 +1 @@ +nft -f /etc/nftables-fff.conf diff --git a/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade b/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade index d0f3d36a..3de48e05 100644 --- a/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade +++ b/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade @@ -12,6 +12,7 @@ cat > /etc/sysupgrade.conf <<-__EOF__ /etc/config/fff /etc/config/gateway /etc/hoodfile +/etc/nftables-fff.conf __EOF__ exit 0