Hi, instead of introducing uci includes that configure nft includes, why not encode the chain/position etc. values directly into the path/filename and directly include the file if it exists at the expected location?
A potential pattern could be
"[0-9][0-9]_{ruleset_pre,ruleset_post,table_pre,table_post,chain_pre_*,chain_post_*}_*.nft".
Taking the example from your mail, these *.nft includes would be stored at
/usr/share/firewall4/include.d/01_chain_pre_input_strongswan.nft
/usr/share/firewall4/include.d/02_chain_pre_output_strongswan.nft
/usr/share/firewall4/include.d/03_chain_pre_forward_strongswan.nft
Alternatively, the hooks could be moved into a subdirectory structure for
better clarity:
/usr/share/firewall4/includes.d/
+ ruleset-pre/
+ 99_custom_named_set_declarations.nft
+ ruleset-post/
+ ...
+ table-pre/
+ ...
+ table-post/
+ ...
+ chain-pre/
+ input/
+ 29_strongswan.nft
+ output/
+ 29_strongswan.nft
+ forward/
+ 29_strongswan.nft
+ chain-post/
+ mangle_output/
+ 99_custom_dscp_fiddling.nft
(The numeric prefixes carry no semantic meaning in this structure, they'd just
be there to enforce a certain order within a given hook directory)
I think the above would be a lot more manageable since you'd just have to
place partial .nft files which are then folded into the final ruleset on fw4
start/reload.
~ Jo
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
