improving firewall rules

Author: nosignals

luci-app-neko/root/etc/neko/core/reload

@@ -5,9 +5,10 @@
 neko_status=$(uci -q get neko.cfg.enabled)
 neko_new_interface=$(uci -q get neko.cfg.new_interface)
 neko_delay=$(uci -q get neko.cfg.delay)
-tun_bin="/etc/neko/core/tun"
-neko_pid="/etc/neko/tmp/neko_pid.txt"
-log="/etc/neko/tmp/log.txt"
+neko_dir="/etc/neko"
+tun_bin="$neko_dir/core/tun"
+neko_pid="$neko_dir/tmp/neko_pid.txt"
+log="$neko_dir/tmp/log.txt"
 firewall="/etc/init.d/firewall"
 neko_version=$1
 
@@ -52,7 +53,9 @@ neko_reload(){
 
             if (( $uptime < $last_uptime )) || [ -z $last_uptime ]; then
                 echo "reloading firewall"
+                $firewall restart
                 echo "[ `date +%T` ] - Detected interfaces $iface changed, Reloading Firewall " >> $log
+                sleep 1
                 $tun_bin -ks
             else
                 echo "nothing"

luci-app-neko/root/etc/neko/core/tun

@@ -69,9 +69,13 @@ start_tun_fw4() {
 }
 stop_tun_fw4() {
     echo "[ `date +%T` ] - Cleaning nftables Route"
-    handles=`nft -a list chain inet fw4 forward |grep -E "oifname.*${tun_device}" |awk -F '# handle ' '{print$2}'`
-    for handle in $handles; do
-        $nft delete rule inet fw4 forward handle ${handle}
+
+    nft_list=(forward input srcnat)
+    for nft_now in ${nft_list[@]}; do
+        handles=`nft -a list chain inet fw4 $nft_now |grep -E "Neko" |awk -F '# handle ' '{print$2}'`
+        for handle in $handles; do
+            $nft delete rule inet fw4 ${nft_now} handle ${handle}
+        done
     done
 }
 while getopts ":sk" signal ; do