Well, here is the full implementation:
I tested setting an iptables log rule for accessing a specific wan web site from lan (forwarding_lan_rule):
iptables -A forwarding_lan_rule -d 130.230.137.61 -j LOG --log-prefix="TRIGGER ME NOW"
I then checked with the logread command, and the command properly worked the packet:
root@OpenWrt:~# logread -f | grep TRIGGER
Thu Feb 8 18:55:18 2018 kern.warn kernel: [156303.420648] TRIGGER ME NOWIN=br-lan OUT=eth0.2 MAC=dc:ef:09:ef:f3:e4:78:24:af:3a:80:1c:08:00 SRC=192.168.1.180 DST=130.230.137.61 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=7583 DF PROTO=TCP SPT=52161 DPT=80 WINDOW=63093 RES=0x00 ACK URGP=0
Trying that awk command, and trigger another log item to be written:
logread -f | awk '/TRIGGER ME NOW/ {system("logger test1")}'
And after accessing the web page, the log contains now also the test1 items:
Thu Feb 8 18:59:41 2018 user.notice root: test1
Thu Feb 8 18:59:41 2018 user.notice root: test1
Thu Feb 8 18:59:43 2018 kern.warn kernel: [156568.040939] TRIGGER ME NOW IN=br-lan OUT=eth0.2 MAC=dc:ef:09:ef:f3:e4:78:24:af:3a:80:1c:08:00 SRC=192.168.1.180 DST=130.230.137.61 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=9556 DF PROTO=TCP SPT=52198 DPT=80 WINDOW=64240 RES=0x00 ACK FIN URGP=0
And then finally testing detaching the logread/awk process:
root@OpenWrt:~# ( logread -f | awk '/TRIGGER ME NOW/ {system("logger test1")}' )&
root@OpenWrt:~#
root@OpenWrt:~# ps
PID USER VSZ STAT COMMAND
1 root 1340 S /sbin/procd
...
19505 root 1072 S -ash
19506 root 1128 S logread -f
19507 root 1080 S awk /TRIGGER ME NOW {system("logger test1 )}
19508 root 1068 R ps
root@OpenWrt:~#
And the log shows the items, both the original iptables log line and my trigger script's test1 line:
Thu Feb 8 19:03:10 2018 kern.warn kernel: [156774.960275] TRIGGER ME NOW IN=br-lan OUT=eth0.2 MAC=dc:ef:09:ef:f3:e4:78:24:af:3a:80:1c:08:00 SRC=192.168.1.180 DST=130.230.137.61 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=9571 DF PROTO=TCP SPT=52215 DPT=80 WINDOW=64240 RES=0x00 ACK URGP=0
Thu Feb 8 19:03:10 2018 user.notice root: test1
So, adding two lines into /etc/rc.local should be ok:
root@OpenWrt:~# cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
iptables -A forwarding_lan_rule -d 130.230.137.61 -j LOG --log-prefix="TRIGGER ME NOW"
( logread -f | awk '/TRIGGER ME NOW/ {system("logger test1")}' )&
But I also noticed that the log gets flooded quite rapidly and may choke router performance badly. So, e.g. adding a large website rule this way can be dangerous.
And you need to look carefully for a proper iptables chain, depending a bit which kind of traffic will trigger things.
EDiT: I tried adding the rules to /etc/firewall.user, and looks like that affected the boot process negatively. May be better to have it ni the /etc/rc.local, or might be even better to manually run the commands after a proper boot.
Ps.
But if you are just trying to get a single packet to some individual port to trigger things, you might actually also check the port knocking options. e.g. the fwknop
https://github.com/openwrt/packages/blob/master/net/fwknop/Makefile