Hi, instead of introducing uci includes that configure nft includes, why not encode the chain/position etc. values directly into the path/filename and directly include the file if it exists at the expected location?
A potential pattern could be "[0-9][0-9]_{ruleset_pre,ruleset_post,table_pre,table_post,chain_pre_*,chain_post_*}_*.nft". Taking the example from your mail, these *.nft includes would be stored at /usr/share/firewall4/include.d/01_chain_pre_input_strongswan.nft /usr/share/firewall4/include.d/02_chain_pre_output_strongswan.nft /usr/share/firewall4/include.d/03_chain_pre_forward_strongswan.nft Alternatively, the hooks could be moved into a subdirectory structure for better clarity: /usr/share/firewall4/includes.d/ + ruleset-pre/ + 99_custom_named_set_declarations.nft + ruleset-post/ + ... + table-pre/ + ... + table-post/ + ... + chain-pre/ + input/ + 29_strongswan.nft + output/ + 29_strongswan.nft + forward/ + 29_strongswan.nft + chain-post/ + mangle_output/ + 99_custom_dscp_fiddling.nft (The numeric prefixes carry no semantic meaning in this structure, they'd just be there to enforce a certain order within a given hook directory) I think the above would be a lot more manageable since you'd just have to place partial .nft files which are then folded into the final ruleset on fw4 start/reload. ~ Jo
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel