sentinel-fwlog: Better integration with fw4

Make sure that we inject our rule only to the chain that exists regardless whether it is reject or drop one.
turris-cz · Aug 21, 2024 · fb2a5a9 · fb2a5a9
1 parent 3448582
commit fb2a5a9
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/collect/sentinel/sentinel-fwlogs/files/sentinel-firewall-nftables.sh b/collect/sentinel/sentinel-fwlogs/files/sentinel-firewall-nftables.sh
@@ -21,7 +21,12 @@ fwlogs_logging() {
 	[ "$enabled" = "1" ] || return 0
 
 	report_operation "Logging of zone '$zone'"
-	nft insert rule inet fw4 "reject_from_${zone}" log group "$nflog_group" queue-threshold "$nflog_threshold" comment "\"!sentinel: fwlogs\""
+	if nft list chains | grep -q "reject_from_${zone}"; then
+		nft insert rule inet fw4 "reject_from_${zone}" log group "$nflog_group" queue-threshold "$nflog_threshold" comment "\"!sentinel: fwlogs\""
+	fi
+	if nft list chains | grep -q "drop_from_${zone}"; then
+		nft insert rule inet fw4 "drop_from_${zone}" log group "$nflog_group" queue-threshold "$nflog_threshold" comment "\"!sentinel: fwlogs\""
+	fi
 }
 
 config_load "firewall"