/usr/share/nftables.d/chain-post will not get included if corresponding chain is not used in /etc/config/firewall

[lowjoel]

I'm building a (hopefully) reusable package to add support to firewall expectations using conntrackd -- helpers essentially. I notice that when I am placing a chain in a directory that matches a "standard" table (e.g srcnat_zone), and if the zone doesn't itself have any rules, the included rules do not get rendered.

This is despite the misleading message that Automatically including '/usr/share/nftables.d/chain-post/srcnat_zone/X.nft is printed when running /etc/init.d/firewall reload.

I dug into the code and it seems like the chains are rendered only if there's a corresponding set of rules in /etc/config/firewall. Should fw4 also emit the chain if an include requests to insert rules into a chain? I'll be happy to work on a patch if this is desirable.

I've been able to workaround this by using the table-post hook instead -- but I would imagine more granular includes would be advantageous.

[brada4]

You can add a chain { .. hook priority +(/-) 1..49 .. } even in separate table to force intended ordering

[lowjoel]

Yes, that's my workaround. I'm wondering if it's better for the includes to implicitly create those chains anyway?

I don't need any separate priorities, I'm just porting /etc/config/firewall rules to /usr/share/nftables.d. I ran into this when I removed the last rule in a chain, just wondering if we should keep them symmetric.

[brada4]

I think stay with it as long as it works (which is IMHO a priority)
With plenty of time one could change helpers listing (and all consumers of it) to plug conntrackd into current kmods read-list-then-test-then-maybe-use
eg

firewall4/root/usr/share/ucode/fw4.uc

Line 1937 in b6e5157

helper.available = (fs.stat(`/sys/module/${helper.module}`)?.type == "directory");

[brada4]

Also +/-X priority is nice as it jumps out of the way of iptables-nft....

[lowjoel]

I think stay with it as long as it works (which is IMHO a priority)

Sure!

With plenty of time one could change helpers listing (and all consumers of it) to plug conntrackd into current kmods read-list-then-test-then-maybe-use eg

conntrackd doesn't register new modules AFAICS. I've got 6 different helpers registered, and I only see nfnetlink_cthelper

[brada4]

No, it is not about modules, but to include usermode/nfqueue helpers in the list. Then in every spot of calling chain handle the new kind of helper gadget...
Lets start with proving the concept and simplest integration?