fff-firewall: add user-customizable nftables hook

Currently there is no way to persistently configure firewall rules on a router. This might be desirable as home-use of the Freifunk network is quite common these days. To allow for the most flexibility while keeping maintenance efforts low, add a persistent, user-customizable nftables hook. It is evaluated after all firewall rules have already been configured, so it is possible to override them. Users of this hook are responsible for keeping up with changes to the firmware and modify it appropriately, before updating the system. Fixes: #314 Signed-off-by: Fabian Bläse <fabian@blaese.de>
2024-03-11 21:51:02 +01:00 · 2024-03-11 21:51:02 +01:00 · 1309eaaf11
commit 1309eaaf11
parent 7c0a24a80c
2 changed files with 2 additions and 0 deletions
--- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user
@ -0,0 +1 @@
+nft -f /etc/nftables-fff.conf
--- a/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade
+++ b/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade
@ -12,6 +12,7 @@ cat > /etc/sysupgrade.conf <<-__EOF__
 /etc/config/fff
 /etc/config/gateway
 /etc/hoodfile
+/etc/nftables-fff.conf
 __EOF__

 exit 0