The following iptables chains can be used to add custom rules:
afwall - This is the main AFWall+ chain. All OUTPUT packets will pass through it. It is therefore the >perfect place if you want to add rules that apply to any interface.
afwall-3g - This chain will only receive OUTPUT packets for the cellular network interface (no matter >if it is 2G, 3G, 4G, etc).
afwall-wifi - This chain will only receive OUTPUT packets for the WiFi interface.
afwall-reject - This chain should be used as a target when you want to reject and log a >packet. >When the logging is disabled, this is exactly the same as the built-in REJECT target
Please note that all those chains are guaranteed to be cleared before the custom script is executed, so you don't need to worry about rules cleanup on your script IF you are using those chains.
Can you set up similar guaranteed-cleared inbound and forward chains? For example, afwall-in and afwall-fw or similar?
Ideally, it'd be great if the user could specify in Preferences whether AFWall+ add automatically-cleared chains for input and forward (output is via the afwall chain already), so we can do custom blocking of exploits, leaks, etc, inbound and outbound.
I've tried setting up my own chains, and they work as long as I start with a completely flushed iptables, but it glitches upon switching profiles in AFWall+, even if I clear the added chains in the scripts. Sometimes it doesn't add the chains at all, thus the rules I want to add to those chains never get set.
Also, for the internal creation and clearing of afwall chain, can you add the --wait flag? During phone bootup, I'm getting "No chain/target/match by that name." and "command 'iptables -A afwall -o cc2mni+ -j afwall-3g' exited with status 4, retrying (attempt x/10)" errors.
Ah, I figured out the problem... the afwall chain isn't attached to IPv6! That's why I was getting "No chain/target/match by that name." when setting IPv6 rules for the afwall chain. So we have no custom script filtering abilities in IPv6 unless we use the built-in chains, and in that case, they won't be flushed when switching profiles (I've used eg.: iptables --wait -t INPUT -F in my scripts, but the rules from the previous script / profile still show up in 'Show Rules > Iptables rules', even after pressing 'Refresh', which is what necessitated my flushing all rules, then applying them again).
Can you fix that, please?