Where to insert custom IPTables for early boot stages?

[ghost]

First of all - huge thanks for your work!

I have custom IPTables and EBTables filter rules that need to be executed as early in boot process as possible. UDM Boot Script from BoostChicken doesn't execute scripts until UniFi-OS is loaded and I need my IPTables and EBTables applied before that. That is why I need UDM Kernel Tools.

With UDM Boot Script, I just copy/paste my SH scripts with custom IPTables filter rules into "\mnt\data\on_boot.d" directory. Once I start using UDM Kernel Tools, where should I paste my SH scripts to be executed before UniFi-OS is loaded? Directions mention that for pre-boot stages one needs to override root files using "/mnt/data/udm-kernel-tools/root" directory, but I don't know which files to override... UDM firewall/NAT (user GUI-based IPTables) use IP Sets that are controlled by API. I don't even know where UDM stores its IP Tables... Is it possible to just have my custom SH scripts executed very early in the boot process, before UniFi-OS is loaded, without overriding root files? If not, then I'd appreciate some help with figuring out which files to override.

There is also an issue of API resetting EBTables. UDM uses EBTables for Guest Policies and changing those policies within GUI resets my EBTables filters. Would the same happen with custom kernel? API also resets IPTables if Provision/Re-provision function is used within GUI.

[fabianishere]

You can create a new entry in /mnt/data/udm-kernel-tools/root/etc/init.d that runs before the UniFi OS init script.

However, I don’t expect your custom rules to persist if you re-provision your device. I believe the controller will just flush the existing rules.

[ghost]

Thank you for a prompt response! I didn't realize init.d directory files were just SH scripts. Do I need to name them in any specific way to have them executed before UniFi-OS? What about permissions - 0644 or 0755?

FYI, re-provisioning doesn't flush custom IPTables, but re-arranges them to be executed after IPS/IDS chains. It doesn't flush EBTables. EBTables are flushed whenever Guest Policies are changed and/or WiFi (that uses Guest Policies) settings are adjusted because UDM API uses EBTables for those policies. All of that is secondary. Boot priority is what matters.

Again, thank you for helping out!

[fabianishere]

Follow the naming of the files is that directory (SnumName, e.g., S90service).

Pick a number lower than the one used by the unifios service to start it before UniFi OS. For permissions, I would use the same as the other files in the directory.