[PATCH firewall4] fw4: add support for include.d dir

Mon, 27 Jun 2022 04:07:18 -0700 

Creating a uci configuration is cumbersome and unmaintainable if other
packages want to use the new include feature.

If another package wants to use the include feature of fw4, it must copy
the uci configuration options to '/usr/share/firewall4/include.d'. This
include will then be used in fw4 without having to modify the uci config
under '/etc/config/firewall'.

In my case, this is about the firewall rules for the Strongswan. This
feature allows me to have the firewall add the strongswan rules on
reload or startup without having to change the firewall's uci
configuration.

Content of the include file for firewall rules needed by strongswan.
The content of the files are update by the strongswan updown script.

'/usr/share/firewall4/include.d/strongswan':
config include
        option path '/tmp/strongswan/nftables.d/pre-input.nft'
        option type 'nftables'
        option position 'chain-pre'
        option chain 'input'

config include
        option path '/tmp/strongswan/nftables.d/pre-output.nft'
        option type 'nftables'
        option position 'chain-pre'
        option chain 'output'

config include
        option path '/tmp/strongswan/nftables.d/pre-forward.nft'
        option type 'nftables'
        option position 'chain-pre'
        option chain 'forward'includes

Signed-off-by: Florian Eckert <[email protected]>
---
 root/usr/share/ucode/fw4.uc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 1b4764c..f46caa2 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -731,6 +731,16 @@ return {
                //
 
                this.cursor.foreach("firewall", "include", i => 
self.parse_include(i));
+               let dir = fs.opendir("/usr/share/firewall4/include.d");
+               if (dir) {
+                       let file;
+                       while ((file = dir.read()) != null) {
+                               if ((file == '.') || (file == '..'))
+                                       continue;
+                               
this.cursor.load("/usr/share/firewall4/include.d/" + file);
+                               this.cursor.foreach(file, "include", i => 
self.parse_include(i));
+                       }
+               }
 
 
                if (use_statefile) {
-- 
2.30.2


_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to