From 6acdc6efa1d585b4d7b0a145a64fad6bcc670a0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= Date: Mon, 11 Mar 2024 21:51:02 +0100 Subject: [PATCH] fff-firewall: add user-customizable nftables hook MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently there is no way to persistently configure firewall rules on a router. This might be desirable as home-use of the Freifunk network is quite common these days. To allow for the most flexibility while keeping maintenance efforts low, add a persistent, user-customizable nftables hook. It is evaluated after all firewall rules have already been configured, so it is possible to override them. Users of this hook are responsible for keeping up with changes to the firmware and modify it appropriately, before updating the system. Fixes: #314 Signed-off-by: Fabian Bläse --- src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user | 1 + .../fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade | 1 + 2 files changed, 2 insertions(+) create mode 100644 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user new file mode 100644 index 00000000..856459e8 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user @@ -0,0 +1 @@ +nft -f /etc/nftables-fff.conf diff --git a/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade b/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade index d0f3d36a..3de48e05 100644 --- a/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade +++ b/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade @@ -12,6 +12,7 @@ cat > /etc/sysupgrade.conf <<-__EOF__ /etc/config/fff /etc/config/gateway /etc/hoodfile +/etc/nftables-fff.conf __EOF__ exit 0