| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| docs:guide-user:firewall:firewall_configuration [2023/11/20 16:47] – [Rules] wording vgaetera | docs:guide-user:firewall:firewall_configuration [2024/08/28 10:11] – [Rules] Added some clarification hints for src and dest IP addresses and added a real world example for inter zone traffic forwarding between interfaces. flygarn12 |
|---|
| * **The main firewall config file is ''/etc/config/firewall'', and this is edited to modify the firewall settings** | * **The main firewall config file is ''/etc/config/firewall'', and this is edited to modify the firewall settings** |
| * :!: //Create a backup of the firewall config __prior__ to making changes// | * :!: //Create a backup of the firewall config __prior__ to making changes// |
| * Should changes cause a loss-of-connectivity to the router, you will need to access it in [[docs:guide-user:troubleshooting:failsafe_and_factory_reset#failsafe_mode|Failsafe Mode]] to restore the backup | * Should changes cause a loss-of-connectivity to the router, you will need to access it in [[docs:guide-user:troubleshooting:failsafe_and_factory_reset#failsafe_mode|failsafe mode]] to restore the backup |
| * Once the settings are changed, //and __after__ double checking changes//, reload the firewall via ''/etc/init.d/firewall reload'' | * Once the settings are changed, //and __after__ double checking changes//, reload the firewall via ''/etc/init.d/firewall reload'' |
| * This is a simple shell script calling ''fw4 reload'', and will print diagnostics to the console as it parses the new firewall configuration. //Check for errors!// | * This is a simple shell script calling ''fw4 reload'', and will print diagnostics to the console as it parses the new firewall configuration. //Check for errors!// |
| * **OpenWrt 22.03 and later** ships with **firewall4** by default, which uses nftables as a backend. It accepts the same UCI configuration syntax as fw3. | * **OpenWrt 22.03 and later** ships with **firewall4** by default, which uses nftables as a backend. It accepts the same UCI configuration syntax as fw3. |
| * **The UCI firewall configuration in ''/etc/config/firewall'' covers a reasonable subset of [[docs:guide-user:firewall:netfilter_iptables:netfilter_openwrt|NetFilter]] rules, but not all of them** | * **The UCI firewall configuration in ''/etc/config/firewall'' covers a reasonable subset of [[docs:guide-user:firewall:netfilter_iptables:netfilter_openwrt|NetFilter]] rules, but not all of them** |
| * To provide more functionality, ''[[firewall_configuration#includes_for_2203_and_later_with_fw4|include]]'' mechanisms are available. | * To provide more functionality, ''[[firewall_configuration#includes_2203_and_later_with_fw4|include]]'' mechanisms are available. |
| * //You can either include a shell script with nftables commands, or include nftables snippets at different locations.// | * //You can either include a shell script with nftables commands, or include nftables snippets at different locations.// |
| * See [[docs:guide-user:firewall:fw3_configurations:fw3_config_examples|Firewall examples]] for usage (might be outdated!) | * See [[docs:guide-user:firewall:fw3_configurations:fw3_config_examples|Firewall examples]] for usage (might be outdated!) |
| | ''synflood_burst'' | string | no | ''50'' | Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate. | | | ''synflood_burst'' | string | no | ''50'' | Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate. | |
| | ''tcp_syncookies'' | boolean | no | ''1'' | Enable the use of [[wp>SYN cookies]]. | | | ''tcp_syncookies'' | boolean | no | ''1'' | Enable the use of [[wp>SYN cookies]]. | |
| | ''tcp_ecn'' | boolean | no | ''0'' | Enable/Disable [[wp>Explicit_Congestion_Notification|Explicit Congestion Notification]]. Affects only traffic originating from the router itself. Implemented upstream in Linux Kernel. See [[https://docs.kernel.org/networking/ip-sysctl.html|kernel docs]]. | | | ''tcp_ecn'' | integer | no | ''0'' | ''0'' Disable, ''1'' Enable, ''2'' Enable when requested for ingress (but disable for egress) [[wp>Explicit_Congestion_Notification|Explicit Congestion Notification]]. Affects only traffic originating from the router itself. Implemented upstream in Linux Kernel. See [[https://docs.kernel.org/networking/ip-sysctl.html|kernel docs]]. | |
| | ''tcp_window_scaling'' | boolean | no | ''1'' | Enable [[wp>TCP_window_scale_option|TCP window scaling]]. | | | ''tcp_window_scaling'' | boolean | no | ''1'' | Enable [[wp>TCP_window_scale_option|TCP window scaling]]. | |
| | ''accept_redirects'' | boolean | no | ''0'' | Accepts redirects. Implemented upstream in Linux Kernel. See [[https://docs.kernel.org/networking/ip-sysctl.html|kernel docs]]. | | | ''accept_redirects'' | boolean | no | ''0'' | Accepts redirects. Implemented upstream in Linux Kernel. See [[https://docs.kernel.org/networking/ip-sysctl.html|kernel docs]]. | |
| | ''forward'' | string | no | ''DROP'' | Default policy (''ACCEPT'', ''REJECT'', ''DROP'') for //forwarded// zone traffic. | | | ''forward'' | string | no | ''DROP'' | Default policy (''ACCEPT'', ''REJECT'', ''DROP'') for //forwarded// zone traffic. | |
| | ''output'' | string | no | ''DROP'' | Default policy (''ACCEPT'', ''REJECT'', ''DROP'') for //outgoing// zone traffic. | | | ''output'' | string | no | ''DROP'' | Default policy (''ACCEPT'', ''REJECT'', ''DROP'') for //outgoing// zone traffic. | |
| | ''family'' | string | no | ''any'' | The protocol family (''ipv4'', ''ipv6'' or ''any'') these rules are for. Defaults to ''any'', but automatically degrades to ''ipv4'' or ''ipv6'' if respective addresses are listed in the same section. | | | ''family'' | string | no | //(auto)// | Specifies the address family (''ipv4'', ''ipv6'' or ''any'') for which the rules are generated. If unspecified, matches the address family of other options in this section and defaults to ''any''. | |
| | ''log'' | int | no | ''0'' | Bit field to enable logging in the filter and/or mangle tables, bit 0 = filter, bit 1 = mangle. (Since r6397-7cc9914aae)| | | ''log'' | int | no | ''0'' | Bit field to enable logging in the filter and/or mangle tables, bit 0 = filter, bit 1 = mangle. | |
| | ''log_limit'' | string | no | ''10/minute'' | Limits the amount of log messages per interval. | | | ''log_limit'' | string | no | ''10/minute'' | Limits the amount of log messages per interval. | |
| | ''device'' | list | no | //(none)// | List of L3 network interface names attached to this zone, e.g. ''tun+'' or ''ppp+'' to match any TUN or PPP interface. This is specifically suitable for undeclared interfaces which lack built-in netifd support such as OpenVPN. Otherwise ''network'' is preferable and ''device'' should be avoided. | | | ''device'' | list | no | //(none)// | List of L3 network interface names attached to this zone, e.g. ''tun+'' or ''ppp+'' to match any TUN or PPP interface. This is specifically suitable for undeclared interfaces which lack built-in netifd support such as OpenVPN. Otherwise ''network'' is preferable and ''device'' should be avoided. | |
| | ''name'' | forward name | no | //(none)// | Unique forwarding name. | | | ''name'' | forward name | no | //(none)// | Unique forwarding name. | |
| | ''src'' | zone name | yes | //(none)// | Specifies the traffic //source zone//. Refers to one of the defined //zone names//. For typical port forwards this usually is 'wan'. | | | ''src'' | zone name | yes | //(none)// | Specifies the traffic //source zone//. Refers to one of the defined //zone names//. For typical port forwards this usually is 'wan'. | |
| | ''dest'' | zone name | yes | //(none)// | Specifies the traffic //destination zone//. Refers to one of the defined //zone names// | | | ''dest'' | zone name | yes | //(none)// | Specifies the traffic //destination zone//. Refers to one of the defined //zone names//. | |
| | ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate the rules for. | | | ''family'' | string | no | ''any'' | Specifies the address family (''ipv4'', ''ipv6'' or ''any'') for which the rules are generated. | |
| | ''enabled'' | bool | no | yes | if set to ''0'', forward is disabled | | | ''enabled'' | bool | no | yes | If set to ''0'', forward is disabled. | |
| | ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[docs:guide-user:firewall:firewall_configuration#ip_sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark. | | | ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[docs:guide-user:firewall:firewall_configuration#ip_sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark. | |
| |
| option proto 'tcp' | option proto 'tcp' |
| option target 'REJECT' | option target 'REJECT' |
| | </code> |
| | |
| | Below example is based on a **inter zone forward case** (where zone forward is set to reject) where you have one firewall zone called ''lan'' with two interfaces. In one interface you have a server with IP address ''172.30.100.1'' and the other interface is the default lan interface with ''192.168.1.0/24'' IP range. This configuration case will allow IPv4 ''tcp'' traffic from all IP addresses in the default lan interface to specifically connect only to the server IP address and to the server port ''22''. |
| | |
| | <code bash> |
| | config rule |
| | option name 'forward ssh to server' |
| | option family 'ipv4' |
| | option src 'lan' |
| | option src_ip '192.168.1.0/24' |
| | option dest 'lan' |
| | option dest_ip '172.30.100.1' |
| | option proto 'tcp' |
| | option dest_port '22' |
| | option target 'ACCEPT' |
| | |
| </code> | </code> |
| |
| * If only ''dest'' is given, the rule matches //outgoing// traffic | * If only ''dest'' is given, the rule matches //outgoing// traffic |
| * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule | * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule |
| | * IP address for ''src_ip'' and ''dest_ip'' can be a specific IP address or use CIDR notations to define a complete interface group of IP addresses as a source or destination, for instance ''192.168.1.0/24''. |
| * Port ranges are specified as ''start-stop'', for instance ''6666-6670''. | * Port ranges are specified as ''start-stop'', for instance ''6666-6670''. |
| |
| | ''name'' | string | no | //(none)// | Name of rule | | | ''name'' | string | no | //(none)// | Name of rule | |
| | ''src'' | zone name | no | //(none)// | Specifies the traffic //source zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If omitted, the rule applies to //output// traffic. | | | ''src'' | zone name | no | //(none)// | Specifies the traffic //source zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If omitted, the rule applies to //output// traffic. | |
| | ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source IP address// | | | ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source IP address//, CIDR notations can be used, see note above. | |
| | ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //MAC address// | | | ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //MAC address// | |
| | ''src_port'' | port or range | no | //(none)// | Match incoming traffic from the specified //source port// or //port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | | | ''src_port'' | port or range | no | //(none)// | Match incoming traffic from the specified //source port// or //port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | |
| | ''icmp_type'' | list of type names or numbers | no | any | For //protocol// ''icmp'' select specific ICMP types to match. Values can be either exact ICMP type numbers or type names (see below). | | | ''icmp_type'' | list of type names or numbers | no | any | For //protocol// ''icmp'' select specific ICMP types to match. Values can be either exact ICMP type numbers or type names (see below). | |
| | ''dest'' | zone name | no | //(none)// | Specifies the traffic //destination zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If specified, the rule applies to //forwarded// traffic; otherwise, it is treated as //input// rule. | | | ''dest'' | zone name | no | //(none)// | Specifies the traffic //destination zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If specified, the rule applies to //forwarded// traffic; otherwise, it is treated as //input// rule. | |
| | ''dest_ip'' | ip address | no | //(none)// | Match incoming traffic directed to the specified //destination IP address//. With no dest zone, this is treated as an input rule! | | | ''dest_ip'' | ip address | no | //(none)// | Match incoming traffic directed to the specified //destination IP address//, CIDR notations can be used, see note above. With no dest zone, this is treated as an input rule! | |
| | ''dest_port'' | port or range | no | //(none)// | Match incoming traffic directed at the given //destination port or port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | | | ''dest_port'' | port or range | no | //(none)// | Match incoming traffic directed at the given //destination port or port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | |
| | ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[docs:guide-user:firewall:firewall_configuration#ip_sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as 'setname src' or 'setname dest'. The default if neither src nor dest are added is to assume src | | | ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[docs:guide-user:firewall:firewall_configuration#ip_sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as 'setname src' or 'setname dest'. The default if neither src nor dest are added is to assume src | |
| | ''monthdays'' | list of dates | no | //(always)// | If specified, only match traffic during the given days of the month, e.g. ''2 5 30'' to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! 31'' to always match but on the 31st of the month. | | | ''monthdays'' | list of dates | no | //(always)// | If specified, only match traffic during the given days of the month, e.g. ''2 5 30'' to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! 31'' to always match but on the 31st of the month. | |
| | ''utc_time'' | boolean | no | ''0'' | Treat all given time values as UTC time instead of local time. | | | ''utc_time'' | boolean | no | ''0'' | Treat all given time values as UTC time instead of local time. | |
| | ''target'' | string | yes | ''DROP'' | Firewall action (''ACCEPT'', ''REJECT'', ''DROP'', ''MARK'', ''NOTRACK'') for matched traffic | | | ''target'' | string | yes | ''DROP'' | Firewall action (''ACCEPT'', ''REJECT'', ''DROP'', ''MARK'', ''NOTRACK'') for matched traffic. | |
| | ''set_mark'' | mark/mask | yes for target ''MARK'' | //(none)// | Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed | | | ''set_mark'' | mark/mask | yes for target ''MARK'' | //(none)// | Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, ''0xFFFFFFFF'' is assumed. | |
| | ''set_xmark'' | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed | | | ''set_xmark'' | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, ''0xFFFFFFFF'' is assumed. | |
| | ''family'' | string | no | //(auto)// | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate the rules for. If unspecified, defaults to the following:\\ ''any'' - ''dest_ip'' is unspecified,\\ ''ipv4'' or ''ipv6'' - ''dest_ip'' matches the respective family. | | | ''family'' | string | no | //(auto)// | Specifies the address family (''ipv4'', ''ipv6'' or ''any'') for which the rules are generated. If unspecified, matches the address family of other options in this section and defaults to ''any''. | |
| | ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Examples: ''3/minute'', ''3/min'' or ''3/m''. | | | ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Examples: ''3/minute'', ''3/min'' or ''3/m''. | |
| | ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit''. | | | ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit''. | |
| | ''utc_time'' | boolean | no | ''0'' | Treat all given time values as UTC time instead of local time. | | | ''utc_time'' | boolean | no | ''0'' | Treat all given time values as UTC time instead of local time. | |
| | ''target'' | string | no | ''DNAT'' | NAT target (''DNAT'' or ''SNAT'') to use when generating the rule. | | | ''target'' | string | no | ''DNAT'' | NAT target (''DNAT'' or ''SNAT'') to use when generating the rule. | |
| | ''family'' | string | no | //(auto)// | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate the rules for. Defaults to ''ipv4'' unless the destination address matches the ''ipv6'' family. | | | ''family'' | string | no | //(auto)// | Specifies the address family (''ipv4'', ''ipv6'' or ''any'') for which the rules are generated. If unspecified, matches the address family of other options in this section and defaults to ''ipv4''. | |
| | ''reflection'' | boolean | no | ''1'' | Activate NAT reflection for this redirect - applicable to ''DNAT'' targets. | | | ''reflection'' | boolean | no | ''1'' | Activate NAT reflection for this redirect - applicable to ''DNAT'' targets. | |
| | ''reflection_src'' | string | no | ''internal'' | The source address to use for NAT-reflected packets if ''reflection'' is ''1''. This can be ''internal'' or ''external'', specifying which interface’s address to use. Applicable to ''DNAT'' targets. | | | ''reflection_src'' | string | no | ''internal'' | The source address to use for NAT-reflected packets if ''reflection'' is ''1''. This can be ''internal'' or ''external'', specifying which interface’s address to use. Applicable to ''DNAT'' targets. | |
| | ''external'' | string | no | //(none)// | If the ''external'' option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the ''external'' option is unset, the firewall will create the ipset on start and destroy it on stop. | | | ''external'' | string | no | //(none)// | If the ''external'' option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the ''external'' option is unset, the firewall will create the ipset on start and destroy it on stop. | |
| | ''name'' | string | yes if ''external'' is unset \\ no if ''external'' is set | //(none)// if ''external'' is unset \\ value of ''external'' if ''external'' is set | Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects. | | | ''name'' | string | yes if ''external'' is unset \\ no if ''external'' is set | //(none)// if ''external'' is unset \\ value of ''external'' if ''external'' is set | Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects. | |
| | ''family'' | string | no | ''ipv4'' | Protocol family (''ipv4'' or ''ipv6'') to create ipset for. Only applicable to storage types ''hash'' and ''list'', the ''bitmap'' type implies ''ipv4''. | | | ''family'' | string | no | ''ipv4'' | Specifies the address family (''ipv4'' or ''ipv6'') for which the IP set is created. Only applicable to storage types ''hash'' and ''list'', the ''bitmap'' type implies ''ipv4''. | |
| | ''storage'' | string | no | //varies// | Specifies the storage method (''bitmap'', ''hash'' or ''list'') used by the ipset, the default varies depending on the used datatypes (see ''match'' option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. ''bitmap:ip'' vs. ''hash:ip''). :!: This is only required by fw3 and must be removed from the fw4 configuration. | | | ''storage'' | string | no | //varies// | Specifies the storage method (''bitmap'', ''hash'' or ''list'') used by the ipset, the default varies depending on the used datatypes (see ''match'' option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. ''bitmap:ip'' vs. ''hash:ip''). :!: This is only required by fw3 and must be removed from the fw4 configuration. | |
| | ''match'' | list of direction/type tuples | yes | //(none)// | Specifies the matched data types (''ip'', ''port'', ''mac'', ''net'' or ''set'') and their direction (''src'' or ''dest''). The direction is joined with the datatype by an underscore to form a tuple, e.g. ''src_port'' to match source ports or ''dest_net'' to match destination CIDR ranges. When using ipsets matching on multiple elements, e.g. ''hash:ip,port'', specify the packet fields to match on in quotes or comma-separated (i.e. "match dest_ip dest_port"). | | | ''match'' | list of direction/type tuples | yes | //(none)// | Specifies the matched data types (''ip'', ''port'', ''mac'', ''net'' or ''set'') and their direction (''src'' or ''dest''). The direction is joined with the datatype by an underscore to form a tuple, e.g. ''src_port'' to match source ports or ''dest_net'' to match destination CIDR ranges. When using ipsets matching on multiple elements, e.g. ''hash:ip,port'', specify the packet fields to match on in quotes or comma-separated (i.e. "match dest_ip dest_port"). | |
| | ''comment'' | boolean | no | //(none)// | Seems like a bug: should be a string for user defined comment. | | | ''comment'' | boolean | no | //(none)// | Seems like a bug: should be a string for user defined comment. | |
| | ''name'' | string | yes | //(none)// | Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects. | | | ''name'' | string | yes | //(none)// | Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects. | |
| | ''family'' | string | no | ''ipv4'' | Protocol family (''ipv4'' or ''ipv6'') to create ipset for. | | | ''family'' | string | no | ''ipv4'' | Specifies the address family (''ipv4'' or ''ipv6'') for which the IP set is created. | |
| | ''match'' | list of ipsettypes | yes | //(none)// | Specifies the matched data types (''ip'', ''port'', ''mac'', ''net'' or ''set'') and their direction (''src'' or ''dest''). The direction is joined with the datatype by an underscore to form a tuple, e.g. ''src_port'' to match source ports or ''dest_net'' to match destination CIDR ranges. | | | ''match'' | list of ipsettypes | yes | //(none)// | Specifies the matched data types (''ip'', ''port'', ''mac'', ''net'' or ''set'') and their direction (''src'' or ''dest''). The direction is joined with the datatype by an underscore to form a tuple, e.g. ''src_port'' to match source ports or ''dest_net'' to match destination CIDR ranges. | |
| | ''maxelem'' | integer | no | ''65536'' | Limits the number of items that can be added to the set. | | | ''maxelem'' | integer | no | ''65536'' | Limits the number of items that can be added to the set. | |
| === Options === | === Options === |
| ^ Name ^ Type ^ Required ^ Default ^ Description ^ | ^ Name ^ Type ^ Required ^ Default ^ Description ^ |
| | ''enabled'' | boolean | no | ''1'' | Allows to disable the corresponding include without having to delete the section | | | ''enabled'' | boolean | no | ''1'' | Allows to disable the corresponding include without having to delete the section. | |
| | ''type'' | string | no | ''script'' | Specifies the type of the include, can be ''script'' for traditional shell script includes or ''restore'' for plain files in //iptables-restore// format | | | ''type'' | string | no | ''script'' | Specifies the type of the include, can be ''script'' for traditional shell script includes or ''restore'' for plain files in //iptables-restore// format. | |
| | ''path'' | file name | yes | ''/etc/firewall.user'' | Specifies a shell script to execute on boot or firewall restarts | | | ''path'' | file name | yes | ''/etc/firewall.user'' | Specifies a shell script to execute on boot or firewall restarts. | |
| | ''family'' | string | no | ''any'' | Specifies the address family (''ipv4'', ''ipv6'' or ''any'') for which the include is called | | | ''family'' | string | no | ''any'' | Specifies the address family (''ipv4'', ''ipv6'' or ''any'') for which the include is called. | |
| | ''reload'' | boolean | no | ''0'' | Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chains | | | ''reload'' | boolean | no | ''0'' | Specifies whether the include should be called on reload. This is only needed if the include injects rules into internal chains. | |
| |
| Includes of type ''script'' may contain arbitrary commands, for example advanced nftables rules or tc commands required for traffic shaping. | Includes of type ''script'' may contain arbitrary commands, for example advanced nftables rules or tc commands required for traffic shaping. |
| |