luci: custom firewall rules don't show up with fw4

[YoavNahumus]

Is there an existing issue for this?

• I have searched the existing issues

screenshots or captures

No response

Actual behaviour

In the network>firewall tab of the GUI, the custom rules tab does not show up
I was able to fix this by removing the dependency of /usr/share/fw3/helpers.conf from the
/usr/share/luci/menu.d/luci-app-firewall.json file

Expected behaviour

The custom tab in the firewall will show up and allow the user to put nftables commands for rules

Steps to reproduce

go to: Network -> Firewall and look at the tabs on a device using firewall4

Additional Information

NAME="OpenWrt"
VERSION="23.05.2"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 23.05.2"
VERSION_ID="23.05.2"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r23630-842932a63d"
OPENWRT_BOARD="ipq40xx/generic"
OPENWRT_ARCH="arm_cortex-a7_neon-vfpv4"
OPENWRT_TAINTS="no-all busybox"
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt 23.05.2 r23630-842932a63d"

What browsers do you see the problem on?

No response

Relevant log output

No response

[PalebloodSky]

Why not start with latest stable, 23.05.5, to make sure it's not fixed?

[YoavNahumus]

Why not start with latest stable, 23.05.5, to make sure it's not fixed?

the luci-app-firewall.json still has the dependency there

[systemcrash]

In the network>firewall tab of the GUI, the custom rules tab does not show up I was able to fix this by removing the dependency of /usr/share/fw3/helpers.conf from the /usr/share/luci/menu.d/luci-app-firewall.json file

One of the many idiosyncrasies in the system: it's a hold-over from fw3 days. Not everyone runs fw4; some still use iptables, and the custom rules window is meant for fw3 and iptables commands.

Those are written to /etc/firewall.user.

https://github.com/openwrt/firewall4/blob/dfbcc1cd127c78fc61bb870d36d2512b571d223b/root/usr/share/ucode/fw4.uc#L3210-L3212

https://github.com/openwrt/firewall4/blob/dfbcc1cd127c78fc61bb870d36d2512b571d223b/tests/06_includes/02_firewall.user_include#L42-L57

[brada4]

You can add inserts to rules in /etc/nftables.d/*.nft
They go in

table inet fw4 {
   ... setup interfaces variables....
   ... offload if present ...

... your file starts ....
   chain yourchain {
     hook xxx prio yyy;
      iifname lo counter
   }
... your file ends ....

  ... bulk of generated rules ...

Or in /usr/share in other places.

some deeply creative rules like maps vmaps are not yet parsed.

[systemcrash]

Perhaps we can parse that folder content as an alternative when the user runs fw4.
@stokito @dannil @Ramon00 any takers for that?

[stokito]

I'm not an expert here. It looks like the /usr/sbin/nft list ruleset command returns all the rules.
The nft format looks so similar to JSON but it isn't.
I think there should be the ubus/rpcd service to show the nfts and it may convert them to json.

The first that I found is some script in Python
https://github.com/RedHatInsights/insights-core/blob/master/insights/parsers/nftables.py
Maybe ChatGPG can convert or write from scratch.

[systemcrash]

/usr/sbin/nft --json?

[stokito]

oh, didn't know about it /usr/sbin/nft --json list ruleset works. Then it should be enough to implement UI, right?

[systemcrash]

That's basically what the firewall status page uses so I don’t see why not. Although here the idea was actual file content. What did you have in mind?

[Ramon00]

Is it just an matter of removing the depend?
"admin/network/firewall/custom": { "title": "Custom Rules", "order": 50, "action": { "type": "view", "path": "firewall/custom" }, "depends": { "fs": { "/usr/share/fw3/helpers.conf": "file" } } }