Enhancement-Request: Button for complete clearing of user setted iptables settings from custom scripts (wan up/firewall-scripts)

Actualy there is the problem, that the user firewall script have the need of first delete with -D all previous setted extra iptables entrys, and then the user have to set the options again with -A or -I options - this results in more complex setups in a very long script which needs a long time to complete. By using only -I or -A user settings results when there is WAN-reconnecting-issues (the connect retry-loop) often all rules are multiple times added again and again to ip tables and make it huge long over time.

Having a button-option to clear all iptables settings from the user-scripts makes the WAN/firewall scripts much easier, because the user only needs to add with -A or -I the needed settings and have no longer to take care of eventually clearing all old entrys first.

In practice the firewall script can be reduced by 50% this way.

A “cosmetic” effect is further more, that -D lines no longer brings “errors” by deleting not existing rules. this is the case when the router cold starts and there was never a previos rule setted.

‌

Or a much simpler idea is to always delete all iptables settings, because when a wan connection is newly establised the firewall/conntrack would be anyway reloaded, so usualy all user added scripts needs anyway to reinitiated too.

Having this as default make sure, that the logic for the user is that after establish a wan connection sucessfully the user should have the clear situation, that never old rules from previous runs, tri-states or whatever no longer existing and he can just set clearly every rule freshly to the right position in the chain.

But we should check between the difference and means of “wan UP”: just have a wan link via L2 should not mean to just execute the firewall-script. And establishe wan connections basicly means, when the user is really connected and got ISP DHCP-data. This is importent because you usualy have right after cold boot the WAN Port via L2 up to the modem - but you are not connected to the internet v4 and v6 at this moment. A few moments later the dhcp-data from ISP comes in and then the iptables/conntrack needs anyway the dynamic IPs for reinitiate the firewall rules/conntrack. Basicly this results in a double run very quickly of the firewall-script as sample.

I think we should make a better clarification between firewall-script and wan-up script. Basicly the firewall script should be executed when the system is regulary up. Often extra interfaces and vlans are created here and it is useless to add in a loop an already active interface again and again. Move the iptables-parts to WAN up and the interface things basicly to the firewall scripts make the situation much more clear. This means, my understanding is: that WAN-Up user scripts should always be executed on the L3 WAN-way, when WAN-dhcp or pppoe or LTE connections is really establised and you have to reload/clear the old rules and clear conntrack-cache anyway. But the clearing of (previous) user setted iptables rules in the WAN-Up scripts should be deleted the same way as with the firewall script.

Comments (8)