fw4: prefer /dev/stdin if available

The nftables executable treats `-` and `/dev/stdin` specially when processing
nft scripts from stdin; it will buffer the contents in order to be able to
print detailled error diagnostics. The `/proc/self/fd/0` path used by `fw4`
does not get this special treatment which will lead to nftables error
messages without any reported context.

Make the `fw4` executable prefer `/dev/stdin` in case it exists and fall back
to using `/proc/self/fd/0` as before.

Ref: https://github.com/openwrt/openwrt/issues/9927
Ref: https://git.openwrt.org/50bc06e774f89517f98c89c76a7626f35c3ff659
Ref: https://git.netfilter.org/nftables/tree/src/libnftables.c?h=v1.0.3#n733
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/root/sbin/fw4 b/root/sbin/fw4
index b66f5d72426e7e9718c5ef0111b21f4725eba1e2..b089ac3b3544fa2e48dc4856bdf7a19cd888cc2b 100755 (executable)
--- a/root/sbin/fw4
+++ b/root/sbin/fw4
@@ -7,6 +7,8 @@ LOCK=/var/run/fw4.lock
 STATE=/var/run/fw4.state
 VERBOSE=
 
+[ -e /dev/stdin ] && STDIN=/dev/stdin || STDIN=/proc/self/fd/0
+
 [ -t 2 ] && export TTY=1
 
 die() {
@@ -31,7 +33,7 @@ start() {
                esac
 
                ACTION=start \
-                       utpl -S $MAIN | nft $VERBOSE -f /proc/self/fd/0
+                       utpl -S $MAIN | nft $VERBOSE -f $STDIN
        } 1000>$LOCK
 }
 
@@ -68,7 +70,7 @@ flush() {
 
 reload_sets() {
        ACTION=reload-sets \
-               flock -x $LOCK utpl -S $MAIN | nft $VERBOSE -f /proc/self/fd/0
+               flock -x $LOCK utpl -S $MAIN | nft $VERBOSE -f $STDIN
 }
 
 lookup() {