Skip to content

Commit

Permalink
sentinel-fwlog: Better integration with fw4
Browse files Browse the repository at this point in the history 
Make sure that we inject our rule only to the chain that exists
regardless whether it is reject or drop one.
  • Loading branch information
@miska @Zatharalex
miska authored and Zatharalex committed Aug 21, 2024
1 parent 7964854 commit 2897c51
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion collect/sentinel/sentinel-fwlogs/files/sentinel-firewall-nftables.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,12 @@ fwlogs_logging() {
[ "$enabled" = "1" ] || return 0

report_operation "Logging of zone '$zone'"
nft insert rule inet fw4 "reject_from_${zone}" log group "$nflog_group" queue-threshold "$nflog_threshold" comment "\"!sentinel: fwlogs\""
if nft list chains | grep -q "reject_from_${zone}"; then
nft insert rule inet fw4 "reject_from_${zone}" log group "$nflog_group" queue-threshold "$nflog_threshold" comment "\"!sentinel: fwlogs\""
fi
if nft list chains | grep -q "drop_from_${zone}"; then
nft insert rule inet fw4 "drop_from_${zone}" log group "$nflog_group" queue-threshold "$nflog_threshold" comment "\"!sentinel: fwlogs\""
fi
}

config_load "firewall"
Expand Down

0 comments on commit 2897c51

Please sign in to comment.