LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21854 Commits
1 Branch
46 MiB
Tree: 7b5513659f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7b5513659f'
${ noResults }
openwrt-packages-dist/net/vpn-policy-routing/files/vpn-policy-routing.init

1044 lines
41 KiB
Raw Normal View History

vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: support phys-dev policies Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: support phys-dev policies Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: bugfix: remove non-ASCII from log; update README Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
vpn-policy-routing: separation between auto/all proto; compatibility with mwan3; README update Signed-off-by: Stan Grishin <stangri@melmac.net>
4 years ago
vpn-policy-routing: initial release Signed-off-by: Stan Grishin <stangri@melmac.net>
5 years ago
 
  1. #!/bin/sh /etc/rc.common
  2. # Copyright 2017-2020 Stan Grishin (stangri@melmac.net)
  3. # shellcheck disable=SC2039,SC1091,SC2018,SC2019
  4. PKG_VERSION='dev-test'
  5. 

  6. export START=94
  7. export USE_PROCD=1
  8. 

  9. readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m'
  10. readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m'
  11. readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
  12. readonly __FAIL__='\033[0;31m[\xe2\x9c\x97]\033[0m'
  13. readonly __PASS__='\033[0;33m[-]\033[0m'
  14. readonly _ERROR_='\033[0;31mERROR\033[0m'
  15. readonly _WARNING_='\033[0;33mWARNING\033[0m'
  16. readonly readmeURL="https://github.com/openwrt/packages/tree/master/net/vpn-policy-routing/files/README.md"
  17. 

  18. export EXTRA_COMMANDS='support'
  19. export EXTRA_HELP="	support	Generates output required to troubleshoot routing issues
  20. 		Use '-d' option for more detailed output
  21. 		Use '-p' option to automatically upload data under VPR paste.ee account
  22. 			WARNING: while paste.ee uploads are unlisted, they are still publicly available
  23. 		List domain names after options to include their lookup in report"
  24. 

  25. readonly packageName='vpn-policy-routing'
  26. readonly serviceName="$packageName $PKG_VERSION"
  27. readonly PID="/var/run/${packageName}.pid"
  28. readonly dnsmasqFile="/var/dnsmasq.d/${packageName}"
  29. readonly userFile="/etc/${packageName}.user"
  30. readonly sharedMemoryOutput="/dev/shm/$packageName-output"
  31. create_lock() { [ -e "$PID" ] && return 1; touch "$PID"; }
  32. remove_lock() { [ -e "$PID" ] && rm -f "$PID"; }
  33. trap remove_lock EXIT
  34. output_ok() { output 1 "$_OK_"; output 2 "$__OK__\\n"; }
  35. output_okn() { output 1 "$_OK_\\n"; output 2 "$__OK__\\n"; }
  36. output_fail() { s=1; output 1 "$_FAIL_"; output 2 "$__FAIL__\\n"; }
  37. output_failn() { output 1 "$_FAIL_\\n"; output 2 "$__FAIL__\\n"; }
  38. # str_replace() { printf "%b" "$1" | sed -e "s/$(printf "%b" "$2")/$(printf "%b" "$3")/g"; }
  39. # str_contains() { [ "$1" != "$(str_replace "$1" "$2" "")" ]; }
  40. # shellcheck disable=SC2018,SC2019
  41. str_to_lower() { echo "$1" | tr 'A-Z' 'a-z'; }
  42. str_extras_to_underscore() { echo "$1" | tr '[\. ~`!@#$%^&*()\+/,<>?//;:]' '_'; }
  43. str_extras_to_space() { echo "$1" | tr ';{}' ' '; }
  44. 

  45. output() {
  46. # Can take a single parameter (text) to be output at any verbosity
  47. # Or target verbosity level and text to be output at specifc verbosity
  48. 	local msg memmsg logmsg
  49. 	if [ $# -ne 1 ]; then
  50. 		if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi
  51. 	fi
  52. 	[ -t 1 ] && printf "%b" "$1"
  53. 	msg="${1//$serviceName /service }";
  54. 	if [ "$(printf "%b" "$msg" | wc -l)" -gt 0 ]; then
  55. 		[ -s "$sharedMemoryOutput" ] && memmsg="$(cat "$sharedMemoryOutput")"
  56. 		logmsg="$(printf "%b" "${memmsg}${msg}" | sed 's/\x1b\[[0-9;]*m//g')"
  57. 		logger -t "${packageName:-service} [$$]" "$(printf "%b" "$logmsg")"
  58. 		rm -f "$sharedMemoryOutput"
  59. 	else
  60. 		printf "%b" "$msg" >> "$sharedMemoryOutput"
  61. 	fi
  62. }
  63. is_installed() { [ -s "/usr/lib/opkg/info/${1}.control" ]; }
  64. 

  65. export serviceEnabled verbosity strictMode wanTableID wanMark fwMask
  66. export ipv6Enabled localIpset remoteIpset ipruleEnabled icmpIface
  67. export ignoredIfaces="" supportedIfaces=""
  68. export appendLocalPolicy="" appendRemotePolicy=""
  69. export wanIface4 wanIface6 ifaceMark ifaceTableID ifAll ifSupported wanGW4 wanGW6
  70. export bootTimeout insertOption
  71. 

  72. list_iface() { ifAll="${ifAll}${1} "; }
  73. list_supported_iface() { is_supported_interface "$1" && ifSupported="${ifSupported}${1} "; }
  74. vpr_find_true() {
  75. 	local iface i param="$2"
  76. 	[ "$param" = 'wan6' ] || param='wan'
  77. 	"network_find_${param}" iface
  78. 	is_tunnel "$iface" && unset iface
  79. 	if [ -z "$iface" ]; then
  80. 		unset ifAll; config_load 'network';
  81. 		config_foreach list_iface 'interface'
  82. 		for i in $ifAll; do
  83. 			if "is_${param}" "$i"; then break; else unset i; fi
  84. 		done
  85. 	fi
  86. 	export "$1=${iface:-$i}"
  87. }
  88. vpr_get_gateway() {
  89. 	local iface="$2" dev="$3" gw
  90. 	network_get_gateway gw "$iface"
  91. 	if [ -z "$gw" ] || [ "$gw" = '0.0.0.0' ]; then
  92. 		gw="$(ip -4 a list dev "$dev" 2>/dev/null | grep inet | awk '{print $2}' | awk -F "/" '{print $1}')"
  93. 	fi
  94. 	export "$1=$gw"
  95. }
  96. vpr_get_gateway6() {
  97. 	local iface="$2" dev="$3" gw
  98. 	network_get_gateway6 gw "$iface"
  99. 	if [ -z "$gw" ] || [ "$gw" = '::/0' ] || [ "$gw" = '::0/0' ] || [ "$gw" = '::' ]; then
  100. 		gw="$(ip -6 a list dev "$dev" 2>/dev/null | grep inet6 | awk '{print $2}')"
  101. 	fi
  102. 	export "$1=$gw"
  103. }
  104. is_l2tp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "l2tp" ]; }
  105. is_oc() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:11}" = "openconnect" ]; }
  106. is_ovpn() { local dev; dev=$(uci -q get network."$1".ifname); [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; }
  107. is_pptp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "pptp" ]; }
  108. is_tor() { local dev; dev=$(uci -q get network."$1".ifname); [ "${dev:0:3}" = "tor" ]; }
  109. is_wg() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:9}" = "wireguard" ]; }
  110. is_tunnel() { is_l2tp "$1" || is_oc "$1" || is_ovpn "$1" || is_pptp "$1" || is_tor "$1" || is_wg "$1"; }
  111. is_wan() { [ "$1" = "$wanIface4" ] || { [ "${1##wan}" != "$1" ] && [ "${1##wan6}" = "$1" ]; } || [ "${1%%wan}" != "$1" ]; }
  112. is_wan6() { [ -n "$wanIface6" ] && [ "$1" = "$wanIface6" ] || [ "${1/#wan6}" != "$1" ] || [ "${1/%wan6}" != "$1" ]; }
  113. string_match_word() { echo "$1" | grep -q -w "$2"; }
  114. is_ignored_interface() { string_match_word "$ignoredIfaces" "$1"; }
  115. is_supported_interface() { string_match_word "$supportedIfaces" "$1" || { ! is_ignored_interface "$1" && { is_wan "$1" || is_wan6 "$1" || is_tunnel "$1"; }; }; }
  116. is_mac_address() { expr "$1" : '[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]$' >/dev/null; }
  117. is_ipv4() { expr "$1" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; }
  118. is_ipv6() { ! is_mac_address "$1" && [ "${1//:}" != "$1" ]; }
  119. is_ipv6_link_local() { [ "${1:0:4}" = "fe80" ]; }
  120. is_ipv6_unique_local() { [ "${1:0:2}" = "fc" ] || [ "${1:0:2}" = "fd" ]; }
  121. is_ipv6_global() { [ "${1:0:4}" = "2001" ]; }
  122. # is_ipv6_global() { is_ipv6 "$1" && ! is_ipv6_link_local "$1" && ! is_ipv6_link_local "$1"; }
  123. is_netmask() { local ip="${1%/*}"; [ "$ip" != "$1" ] && is_ipv4 "$ip"; }
  124. is_domain() { [ "${1//[a-zA-Z-]}" != "$1" ]; }
  125. is_phys_dev() { [ "${1:0:1}" = "@" ] && ip l show | grep -E -q "^\\d+\\W+${1:1}"; }
  126. is_turris() { /bin/ubus -S call system board | /bin/grep 'Turris' | /bin/grep -q '15.05'; }
  127. is_chaos_calmer() { ubus -S call system board | grep -q 'Chaos Calmer'; }
  128. dnsmasq_kill() { killall -q -HUP dnsmasq; }
  129. dnsmasq_restart() { output 1 'Restarting DNSMASQ '; if /etc/init.d/dnsmasq restart >/dev/null 2>&1; then output_okn; else output_failn; fi; }
  130. is_default_dev() { [ "$1" = "$(ip -4 r | grep -m1 'dev' | grep -Eso 'dev [^ ]*' | awk '{print $2}')" ]; }
  131. is_supported_iface_dev() {
  132. 	for n in $ifSupported; do 
  133. 		if [ "$1" = "$(uci -q get "network.${n}.ifname" || echo "$n")" ] || [ "$1" = "$(uci -q get "network.${n}.proto")-${n}" ] ; then return 0; fi
  134. 	done
  135. 	return 1
  136. }
  137. is_supported_protocol () { grep -o '^[^#]*' /etc/protocols | grep -w -v '0' | grep . | awk '{print $1}' | grep -q "$1"; }
  138. 

  139. load_package_config() {
  140. 	config_load "$packageName"
  141. 	config_get_bool serviceEnabled      'config' 'enabled' 0
  142. 	config_get_bool strictMode          'config' 'strict_enforcement' 1
  143. 	config_get_bool ipv6Enabled         'config' 'ipv6_enabled' 0
  144. 	config_get_bool localIpset          'config' 'src_ipset' 0
  145. 	config_get_bool ipruleEnabled       'config' 'iprule_enabled' 0
  146. 	config_get remoteIpset              'config' 'dest_ipset'
  147. 	config_get appendLocalPolicy        'config' 'append_src_rules'
  148. 	config_get appendRemotePolicy       'config' 'append_dest_rules'
  149. 	config_get verbosity                'config' 'verbosity' '2'
  150. 	config_get wanTableID               'config' 'wan_tid' '201'
  151. 	config_get wanMark                  'config' 'wan_mark' '0x010000'
  152. 	config_get fwMask                   'config' 'fw_mask' '0xff0000'
  153. 	config_get icmpIface                'config' 'icmp_interface'
  154. 	config_get ignoredIfaces            'config' 'ignored_interface'
  155. 	config_get supportedIfaces          'config' 'supported_interface'
  156. 	config_get bootTimeout              'config' 'boot_timeout' '30'
  157. 	config_get insertOption             'config' 'iptables_rule_option' 'append'
  158. 

  159. 	if [ -z "${verbosity##*[!0-9]*}" ] || [ "$verbosity" -lt 0 ] || [ "$verbosity" -gt 2 ]; then
  160. 		verbosity=1
  161. 	fi
  162. 

  163. 	. /lib/functions/network.sh
  164. 	. /usr/share/libubox/jshn.sh
  165. 	vpr_find_true wanIface4 'wan'
  166. 	[ "$ipv6Enabled" -ne 0 ] && vpr_find_true wanIface6 'wan6'
  167. 	[ -n "$wanIface4" ] && network_get_gateway wanGW4 "$wanIface4"
  168. 	[ -n "$wanIface6" ] && network_get_gateway6 wanGW6 "$wanIface6"
  169. 	wanGW="${wanGW4:-$wanGW6}"
  170. }
  171. 

  172. is_enabled() {
  173. 	load_package_config
  174. 	if [ "$serviceEnabled" -eq 0 ]; then
  175. 		if [ "$1" = 'on_start' ]; then
  176. 			output "$packageName is currently disabled.\\n"
  177. 			output "Run the following commands before starting service again:\\n"
  178. 			output "uci set $packageName.config.enabled='1'; uci commit;\\n"
  179. 		fi
  180. 		return 1
  181. 	fi
  182. 

  183. 	case $insertOption in
  184. 		insert|-i|-I) insertOption='-I';;
  185. 		append|-a|-A|*) insertOption='-A';;
  186. 	esac
  187. 

  188. 	case $remoteIpset in
  189. 		ipset)
  190. 			if ! ipset help hash:net >/dev/null 2>&1; then
  191. 				output "$_ERROR_: ipset support is enabled in $packageName, but ipset is either not installed or installed ipset does not support 'hash:net' type!\\n"
  192. 				unset remoteIpset
  193. 			fi
  194. 			;;
  195. 		dnsmasq.ipset)
  196. 			if dnsmasq -v 2>/dev/null | grep -q 'no-ipset' || ! dnsmasq -v 2>/dev/null | grep -q -w 'ipset'; then
  197. 				output "$_ERROR_: DNSMASQ ipset support is enabled in $packageName, but DNSMASQ is either not installed or installed DNSMASQ does not support ipsets!\\n"
  198. 				unset remoteIpset
  199. 			fi
  200. 			if ! ipset help hash:net >/dev/null 2>&1; then
  201. 				output "$_ERROR_: DNSMASQ ipset support is enabled in $packageName, but ipset is either not installed or installed ipset does not support 'hash:net' type!\\n"
  202. 				unset remoteIpset
  203. 			fi
  204. 			;;
  205. 		*) unset remoteIpset;;
  206. 	esac
  207. 	
  208. 	if [ "$localIpset" -ne 0 ]; then
  209. 		if ! ipset help hash:net >/dev/null 2>&1; then
  210. 			output "$_ERROR_: Local ipset support is enabled in $packageName, but ipset is either not installed or installed ipset does not support 'hash:net' type!\\n"
  211. 			unset localIpset
  212. 		fi
  213. 		if ! ipset help hash:mac >/dev/null 2>&1; then
  214. 			output "$_ERROR_: Local ipset support is enabled in $packageName, but ipset is either not installed or installed ipset does not support 'hash:mac' type!\\n"
  215. 			unset localIpset
  216. 		fi
  217. 	fi
  218. }
  219. 

  220. is_wan_up() {
  221. 	local sleepCount=1
  222. 	while [ -z "$wanGW" ] ; do
  223. 		vpr_find_true wanIface4 'wan'
  224. 		[ "$ipv6Enabled" -ne 0 ] && vpr_find_true wanIface6 'wan6'
  225. 		[ -n "$wanIface4" ] && network_get_gateway wanGW4 "$wanIface4"
  226. 		[ -n "$wanIface6" ] && network_get_gateway6 wanGW6 "$wanIface6"
  227. 		wanGW="${wanGW4:-$wanGW6}"
  228. 		if [ $((sleepCount)) -gt $((bootTimeout)) ] || [ -n "$wanGW" ]; then break; fi
  229. 		output "$serviceName waiting for wan gateway...\\n"; sleep 1; network_flush_cache; sleepCount=$((sleepCount+1));
  230. 	done
  231. 	mkdir -p "${PID%/*}"; mkdir -p "${dnsmasqFile%/*}";
  232. 	unset ifSupported
  233. 	config_load 'network'
  234. 	config_foreach list_supported_iface 'interface'
  235. 	if [ -n "$wanGW" ]; then
  236. 		return 0	
  237. 	else	
  238. 		output "$_ERROR_: $serviceName failed to discover WAN gateway!\\n"
  239. 		return 1
  240. 	fi
  241. }
  242. 

  243. ipt_cleanup() {
  244. 	local i
  245. 	for i in PREROUTING FORWARD INPUT OUTPUT; do
  246. 		while iptables -t mangle -D $i -m mark --mark 0x0/0xff0000 -j VPR_${i} >/dev/null 2>&1; do : ; done
  247. 	done
  248. 	for i in PREROUTING FORWARD INPUT OUTPUT; do
  249. 		while iptables -t mangle -D $i -j VPR_${i} >/dev/null 2>&1; do : ; done
  250. 	done
  251. }
  252. 

  253. # shellcheck disable=SC2086
  254. ipt() {
  255. 	local d failFlagIpv4=1 failFlagIpv6=1
  256. 	for d in "${*//-A/-D}" "${*//-I/-D}" "${*//-N/-F}" "${*//-N/-X}"; do 
  257. 		[ "$d" != "$*" ] && { iptables $d >/dev/null 2>&1; ip6tables $d >/dev/null 2>&1; }
  258. 	done
  259. 

  260. 	d="$*"; iptables $d >/dev/null 2>&1 && failFlagIpv4=0;
  261. 	if [ "$ipv6Enabled" -gt 0 ]; then ip6tables $d >/dev/null 2>&1 && failFlagIpv6=0; fi
  262. 

  263. 	[ "$failFlagIpv4" -eq 0 ] || [ "$failFlagIpv6" -eq 0 ]
  264. }
  265. 

  266. # shellcheck disable=SC2086
  267. ips() {
  268. 	local command="$1" ipset="${2//-/_}" param="$3" comment="$4" appendix failFlag=0
  269. 	if [ "${ipset//_ip}" != "${ipset}" ]; then
  270. 		ipset="${ipset//_ip}"; appendix='_ip';
  271. 	elif [ "${ipset//_mac}" != "${ipset}" ]; then
  272. 		ipset="${ipset//_mac}"; appendix='_mac';
  273. 	fi
  274. 

  275. 	if [ "$command" = "add_dnsmasq" ]; then
  276. 		[ "$remoteIpset" != 'dnsmasq.ipset' ] && return 1
  277. #	elif [ "$command" = "add_unbound" ]; then
  278. #		[ "$remoteIpset" != 'unbound.ipset' ] && return 1
  279. 	else
  280. 		if [[ -z "$appendix" && -z "$remoteIpset" ]] || \
  281. 			 [[ -n "$appendix" && "$localIpset" -eq 0 ]]; then
  282. 			return 1
  283. 		fi
  284. 	fi
  285. 

  286. 	case "$command" in
  287. 		add_dnsmasq)
  288. 			echo "ipset=/${param}/${ipset} # $comment" >> "$dnsmasqFile" || failFlag=1
  289. 			;;
  290. 		add)
  291. 			ipset -q -! $command "${ipset}${appendix}" $param comment "$comment" || failFlag=1
  292. 			;;
  293. 		create)
  294. 			ipset -q -! "$command" "${ipset}${appendix}" $param || failFlag=1
  295. 			;;
  296. 		destroy|flush)
  297. 			ipset -q -! "$command" "${ipset}${appendix}" 2>/dev/null || failFlag=1
  298. 			return 0
  299. 			;;
  300. 	esac
  301. 	return $failFlag
  302. }
  303. 

  304. ipr()
  305. {
  306. 	[ "$ipruleEnabled" -ne 0 ] || return 1
  307. 	local comment="$1" tid=$(eval echo "\$tid_${2//-/_}") laddr="$3" failFlagIpv4=0 failFlagIpv6=1
  308. 	ip -4 rule del from "$laddr" table "$tid" >/dev/null 2>&1
  309. 	ip -4 rule add from "$laddr" table "$tid" >/dev/null 2>&1 || failFlagIpv4=1
  310. 	if [ "$ipv6Enabled" -ne 0 ]; then
  311. 		ip -6 rule del from "$laddr" table "$tid" >/dev/null 2>&1
  312. 		ip -6 rule add from "$laddr" table "$tid" >/dev/null 2>&1 && failFlagIpv6=0
  313. 	fi
  314. 	if [ "$failFlagIpv4" -eq 0 ] || [ "$failFlagIpv6" -eq 0 ]; then return 0; else return 1; fi
  315. }
  316. 

  317. insert_tor_policy() {
  318. 	local comment="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto="$7" chain="${8:-PREROUTING}"
  319. 	local mark=$(eval echo "\$mark_${iface//-/_}")
  320. 	[ -z "$mark" ] && processPolicyError="${processPolicyError}${_ERROR_}: Unknown fw_mark for ${iface}##"
  321. 	param="-t mangle $insertOption VPR_${chain} -j MARK --set-xmark ${mark}/${fwMask}"
  322. 	[ -n "$laddr" ] && param="$param -s $laddr"
  323. 	[ -n "$lport" ] && param="$param -p tcp -m multiport --sport ${lport//-/:}"
  324. 	[ -n "$raddr" ] && param="$param -d $raddr"
  325. 	[ -n "$rport" ] && param="$param -p $proto -m multiport --dport ${rport//-/:}"
  326. 	[ -n "$comment" ] && param="$param -m comment --comment $(str_extras_to_underscore "$comment")"
  327. # Here be dragons
  328. 	return 0
  329. }
  330. 

  331. insert_policy() {
  332. 	local comment="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto="$(str_to_lower "$7")" chain="${8:-PREROUTING}"
  333. 	local mark=$(eval echo "\$mark_${iface//-/_}") param i valueNeg value
  334. 	if [ "$ipv6Enabled" -eq 0 ]; then
  335. 		is_ipv6 "$laddr" && return 0
  336. 		is_ipv6 "$raddr" && return 0
  337. 	fi
  338. 

  339. 	if is_ipv4 "$laddr" && is_ipv6 "$raddr"; then return 0; fi
  340. 	if is_ipv6 "$laddr" && is_ipv4 "$raddr"; then return 0; fi
  341. 

  342. 	if [ -z "$mark" ]; then
  343. 		processPolicyError="${processPolicyError}${_ERROR_}: Unknown fw_mark for ${iface}##"
  344. 		return 0
  345. 	fi
  346. 

  347. 	if [ -z "$proto" ]; then
  348. 		if [ -n "$lport" ] || [ -n "$rport" ]; then 
  349. 			proto='tcp udp'
  350. 		else
  351. 			proto='all'
  352. 		fi
  353. 	fi
  354. 

  355. 	for i in $proto; do
  356. 		if [ "$i" = 'all' ]; then
  357. 			param="-t mangle -I VPR_${chain} -j MARK --set-xmark ${mark}/${fwMask}"
  358. 		elif ! is_supported_protocol "$i"; then
  359. 			processPolicyError="${processPolicyError}${_ERROR_}: Unknown protocol '$i' in policy '$comment'##"
  360. 			return 0
  361. 		else
  362. 			param="-t mangle -I VPR_${chain} -j MARK --set-xmark ${mark}/${fwMask} -p $i"
  363. 		fi
  364. 

  365. 		if [ -n "$laddr" ]; then
  366. 			if [ "${laddr:0:1}" = "!" ]; then
  367. 				valueNeg='!'; value="${laddr:1}"
  368. 			else
  369. 				unset valueNeg; value="$laddr";
  370. 			fi
  371. 			if is_phys_dev "$value"; then
  372. 				param="$param $valueNeg -m physdev --physdev-in ${value:1}"
  373. 			elif is_mac_address "$value"; then
  374. 				param="$param -m mac $valueNeg --mac-source $value"
  375. 			elif [ "${appendLocalPolicy//-d}" != "$appendLocalPolicy" ] && [ -n "$raddr" ]; then
  376. 				param="$param $valueNeg -s $value"
  377. 				processPolicyError="${processPolicyError}${_ERROR_}: Cannot append '$comment' policy with '$appendLocalPolicy' as destination is already set to '$raddr'##"
  378. 			else
  379. 				param="$param $valueNeg -s $value $appendLocalPolicy"
  380. 			fi
  381. 		fi
  382. 

  383. 		if [ -n "$lport" ]; then
  384. 			if [ "${lport:0:1}" = "!" ]; then
  385. 				valueNeg='!'; value="${lport:1}"
  386. 			else
  387. 				unset valueNeg; value="$lport";
  388. 			fi
  389. 			param="$param -m multiport $valueNeg --sport ${value//-/:}"
  390. 		fi
  391. 

  392. 		if [ -n "$raddr" ]; then 
  393. 			if [ "${raddr:0:1}" = "!" ]; then
  394. 				valueNeg='!'; value="${raddr:1}"
  395. 			else
  396. 				unset valueNeg; value="$raddr";
  397. 			fi
  398. 			if [ "${appendRemotePolicy//-s}" != "$appendRemotePolicy" ] && [ -n "$laddr" ]; then
  399. 				param="$param $valueNeg -d $value"
  400. 				processPolicyError="${processPolicyError}${_ERROR_}: Cannot append '$comment' policy with '$appendRemotePolicy' as source is already set to '$laddr'\\n"
  401. 			else
  402. 				param="$param $valueNeg -d $value $appendRemotePolicy"
  403. 			fi
  404. 		fi
  405. 

  406. 		if [ -n "$rport" ]; then
  407. 			if [ "${rport:0:1}" = "!" ]; then
  408. 				valueNeg='!'; value="${rport:1}"
  409. 			else
  410. 				unset valueNeg; value="$rport";
  411. 			fi
  412. 			param="$param -m multiport $valueNeg --dport ${value//-/:}"
  413. 		fi
  414. 

  415. 		[ -n "$comment" ] && param="$param -m comment --comment $(str_extras_to_underscore "$comment")"
  416. 		ipt "$param" || processPolicyError="${processPolicyError}${_ERROR_}: iptables $param\\n"
  417. 	done
  418. 	return 0
  419. }
  420. 

  421. r_process_policy(){
  422. 	local comment="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto="$7" chain="$8" resolved_laddr resolved_raddr i ipsFailFlag
  423. 	if [ "${laddr//[ ;\{\}]/}" != "$laddr" ]; then
  424. 		for i in $(str_extras_to_space "$laddr"); do [ -n "$i" ] && r_process_policy "$comment" "$iface" "$i" "$lport" "$raddr" "$rport" "$proto" "$chain"; done
  425. 		return 0
  426. 	elif [ "${lport//[ ;\{\}]/}" != "$lport" ]; then
  427. 		for i in $(str_extras_to_space "$lport"); do [ -n "$i" ] && r_process_policy "$comment" "$iface" "$laddr" "$i" "$raddr" "$rport" "$proto" "$chain"; done
  428. 		return 0
  429. 	elif [ "${raddr//[ ;\{\}]/}" != "$raddr" ]; then
  430. 		for i in $(str_extras_to_space "$raddr"); do [ -n "$i" ] && r_process_policy "$comment" "$iface" "$laddr" "$lport" "$i" "$rport" "$proto" "$chain"; done
  431. 		return 0
  432. 	elif [ "${rport//[ ;\{\}]/}" != "$rport" ]; then
  433. 		for i in $(str_extras_to_space "$rport"); do [ -n "$i" ] && r_process_policy "$comment" "$iface" "$laddr" "$lport" "$raddr" "$i" "$proto" "$chain"; done
  434. 		return 0
  435. 	fi
  436. 

  437. 	# start non-recursive processing 
  438. 	# process TOR, netmask, physical device and mac-address separately, so we don't send them to resolveip
  439. 	if is_tor "$iface"; then
  440. 		insert_tor_policy "$comment" "$iface" "$laddr" "$lport" "$raddr" "$rport" "$proto" "$chain"
  441. 	elif is_phys_dev "$laddr"; then
  442. 		insert_policy "$comment" "$iface" "$laddr" "$lport" "$raddr" "$rport" "$proto" "$chain"
  443. 	elif [ -n "$laddr" ] && [ -z "${lport}${raddr}${rport}" ] && [ "$chain" = 'PREROUTING' ]; then
  444. 		if is_mac_address "$laddr"; then
  445. 			if [ -n "$proto" ] && [ "$proto" != 'all' ] && [ "$localIpset" -ne 0 ]; then
  446. 				processPolicyWarning="${processPolicyWarning}${_WARNING_}: Please unset 'proto' or set 'proto' to 'all' for policy '$comment', mac-address '$laddr'\\n"
  447. 			fi
  448. 			ips 'add' "${iface}_mac" "$laddr" "${comment}: $laddr" || ipsFailFlag=1
  449. 		else
  450. 			if [ -n "$proto" ] && [ "$proto" != "all" ] && [ "$localIpset" -ne 0 ]; then
  451. 				processPolicyWarning="${processPolicyWarning}${_WARNING_}: Please unset 'proto' or set 'proto' to 'all' for policy '$comment', address '$laddr'\\n"
  452. 			fi
  453. 			if ! ips 'add' "${iface}_ip" "$laddr" "${comment}: $laddr"; then
  454. 				ipr "$comment" "$iface" "$i" || ipsFailFlag=1
  455. 			fi
  456. 		fi
  457. 	elif [ -n "$raddr" ] && [ -z "${laddr}${lport}${rport}" ] && [ "$chain" = 'PREROUTING' ] && [ -n "$remoteIpset" ]; then
  458. 		if [ -n "$proto" ] && [ "$proto" != 'all' ]; then
  459. 			processPolicyWarning="${processPolicyWarning}${_WARNING_}: Please unset 'proto' or set 'proto' to 'all' for policy '$comment', domain '$raddr'\\n"
  460. 		fi
  461. 		case "$remoteIpset" in
  462. 		ipset)
  463. 			ips 'add' "${iface}" "$raddr" "${comment}: $raddr" || ipsFailFlag=1;;
  464. 		dnsmasq.ipset)
  465. 			if is_domain "$raddr"; then ips 'add_dnsmasq' "${iface}" "$raddr" "${comment}" || ipsFailFlag=1
  466. 			else ips 'add' "${iface}" "$raddr" "${comment}: $raddr" || ipsFailFlag=1; fi;;
  467. 		esac
  468. 	else
  469. 		ipsFailFlag=1
  470. 	fi
  471. 	if [ -n "$ipsFailFlag" ]; then
  472. 		if is_mac_address "$laddr"; then
  473. 		insert_policy "$comment" "$iface" "$laddr" "$lport" "$raddr" "$rport" "$proto" "$chain"
  474. 		elif is_netmask "$laddr" || is_netmask "$raddr"; then
  475. 			insert_policy "$comment" "$iface" "$laddr" "$lport" "$raddr" "$rport" "$proto" "$chain"
  476. 		else
  477. 			[ -n "$laddr" ] && resolved_laddr="$(resolveip "$laddr")"
  478. 			[ -n "$raddr" ] && resolved_raddr="$(resolveip "$raddr")"
  479. 			if [ -n "$resolved_laddr" ] && [ "$resolved_laddr" != "$laddr" ]; then
  480. 				for i in $resolved_laddr; do [ -n "$i" ] && r_process_policy "$comment $laddr" "$iface" "$i" "$lport" "$raddr" "$rport" "$proto" "$chain"; done
  481. 			elif [ -n "$resolved_raddr" ] && [ "$resolved_raddr" != "$raddr" ]; then
  482. 					for i in $resolved_raddr; do [ -n "$i" ] && r_process_policy "$comment $raddr" "$iface" "$laddr" "$lport" "$i" "$rport" "$proto" "$chain"; done
  483. 			else
  484. 				insert_policy "$comment" "$iface" "$laddr" "$lport" "$raddr" "$rport" "$proto" "$chain"
  485. 			fi
  486. 		fi
  487. 	fi
  488. }
  489. 

  490. process_policy(){
  491. 	local name comment iface laddr lport raddr rport param mark processPolicyError processPolicyWarning proto chain enabled
  492. 	config_get comment "$1" 'comment'
  493. 	config_get name    "$1" 'name' 'blank'
  494. 	config_get iface   "$1" 'interface'
  495. 	config_get laddr   "$1" 'src_addr'
  496. 	config_get lport   "$1" 'src_port'
  497. 	config_get raddr   "$1" 'dest_addr'
  498. 	config_get rport   "$1" 'dest_port'
  499. 	config_get proto   "$1" 'proto'
  500. 	config_get chain   "$1" 'chain' 'PREROUTING'
  501. 	config_get_bool enabled "$1" 'enabled' 1
  502. 

  503. 	[ "$enabled" -gt 0 ] || return 0
  504. 	proto="$(str_to_lower "$proto")"
  505. 	[ "$proto" = 'auto' ] && unset proto
  506. 

  507. 	comment="${comment:-$name}"
  508. 	output 2 "Routing '$comment' via $iface "
  509. 

  510. 	if [ -z "$comment" ]; then
  511. 		errorSummary="${errorSummary}${_ERROR_}: Policy name is empty\\n"
  512. 		output_fail; return 1;
  513. 	fi
  514. 	if [ -z "${laddr}${lport}${raddr}${rport}" ]; then
  515. 		errorSummary="${errorSummary}${_ERROR_}: Policy '$comment' missing all IPs/ports\\n"
  516. 		output_fail; return 1;
  517. 	fi
  518. 	if [ -z "$iface" ]; then
  519. 		errorSummary="${errorSummary}${_ERROR_}: Policy '$comment' has no assigned interface\\n"
  520. 		output_fail; return 1;
  521. 	fi
  522. 	if ! is_supported_interface "$iface"; then
  523. 		errorSummary="${errorSummary}${_ERROR_}: Policy '$comment' has unknown interface: '${iface}'\\n"
  524. 		output_fail; return 1;
  525. 	fi
  526. 

  527. 	lport="${lport//  / }"; lport="${lport// /,}"; lport="${lport//,\!/ !}"; 
  528. 	rport="${rport//  / }"; rport="${rport// /,}"; rport="${rport//,\!/ !}";
  529. 	r_process_policy "$comment" "$iface" "$laddr" "$lport" "$raddr" "$rport" "$proto" "$chain"
  530. 	if [ -n "$processPolicyWarning" ]; then
  531. 		warningSummary="${warningSummary}${processPolicyWarning}\\n"
  532. 	fi
  533. 	if [ -n "$processPolicyError" ]; then
  534. 		output_fail
  535. 		errorSummary="${errorSummary}${processPolicyError}\\n"
  536. 	else
  537. 		output_ok
  538. 	fi
  539. }
  540. 

  541. table_destroy(){
  542. 	local tid="$1" iface="$2" mark="$3"
  543. 	if [ -n "$tid" ] && [ -n "$iface" ] && [ -n "$mark" ]; then
  544. 		ip -4 rule del fwmark "$mark" table "$tid" >/dev/null 2>&1
  545. 		ip -6 rule del fwmark "$mark" table "$tid" >/dev/null 2>&1
  546. 	 	ip -4 rule del table "$tid" >/dev/null 2>&1
  547. 		ip -6 rule del table "$tid" >/dev/null 2>&1
  548. 		ip -4 route flush table "$tid";
  549. 		ip -6 route flush table "$tid";
  550. 		ips 'flush' "${iface}"; ips 'destroy' "${iface}";
  551. 		ips 'flush' "${iface}_ip"; ips 'destroy' "${iface}_ip";
  552. 		ips 'flush' "${iface}_mac"; ips 'destroy' "${iface}_mac";
  553. 		ip -4 route flush cache
  554. 		ip -6 route flush cache
  555. 		return 0
  556. 	else
  557. 		return 1
  558. 	fi
  559. }
  560. 

  561. # shellcheck disable=SC2086
  562. table_create(){
  563. 	local tid="$1" mark="$2" iface="$3" gw4="$4" dev="$5" gw6="$6" dev6="$7" dscp s=0 i ipv4_error=0 ipv6_error=0
  564. 

  565. 	if [ -z "$tid" ] || [ -z "$mark" ] || [ -z "$iface" ]; then
  566. 		return 1
  567. 	fi
  568. 

  569. 	table_destroy "$tid" "$iface" "$mark"
  570. 

  571. 	if [ -n "$gw4" ] || [ "$strictMode" -ne 0 ]; then
  572. 		if [ -z "$gw4" ]; then
  573. 			ip -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1
  574. 		else
  575. 			ip -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1
  576. 		fi
  577. 		ip -4 route ls table main | grep -v 'br-lan' | while read -r i; do
  578. 			idev="$(echo "$i" | grep -Eso 'dev [^ ]*' | awk '{print $2}')"
  579. 			if ! is_supported_iface_dev "$idev"; then
  580. 				ip -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1
  581. 			fi
  582. 		done
  583. 		ip -4 route flush cache || ipv4_error=1
  584. 		ip -4 rule add fwmark "${mark}/${fwMask}" table "$tid" || ipv4_error=1
  585. 	fi
  586. 

  587. 	if [ "$ipv6Enabled" -ne 0 ]; then
  588. 		if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strictMode" -ne 0 ]; then
  589. 			if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then
  590. 				ip -6 route add unreachable default table "$tid" || ipv6_error=1
  591. 			else
  592. 				ip -6 route ls table main | grep " dev $dev6 " | while read -r i; do
  593. 					ip -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1
  594. 				done
  595. 			fi
  596. 			ip -6 route flush cache || ipv6_error=1
  597. 			ip -6 rule add fwmark "${mark}/${fwMask}" table "$tid" || ipv6_error=1
  598. 		fi
  599. 	fi
  600. 

  601. 	if [ $ipv4_error -eq 0 ] || [ $ipv6_error -eq 0 ]; then
  602. 		dscp="$(uci -q get "${packageName}".config."${iface}"_dscp)"
  603. 		if [ "${dscp:-0}" -ge 1 ] && [ "${dscp:-0}" -le 63 ]; then
  604. 			ipt -t mangle -I VPR_PREROUTING -m dscp --dscp "${dscp}" -j MARK --set-xmark "${mark}/${fwMask}" || s=1
  605. 		fi
  606. 		if [ -n "$remoteIpset" ]; then
  607. 			if ips 'create' "${iface}" 'hash:net comment' && ips 'flush' "${iface}"; then
  608. 				for i in PREROUTING FORWARD INPUT OUTPUT; do
  609. 					ipt -t mangle -I VPR_${i} -m set --match-set "${iface}" dst -j MARK --set-xmark "${mark}/${fwMask}" || s=1
  610. 				done
  611. 			else
  612. 			s=1
  613. 			fi
  614. 		fi
  615. 		if [ "$localIpset" -ne 0 ]; then
  616. 			if ips 'create' "${iface}_ip" 'hash:net comment' && ips 'flush' "${iface}_ip"; then
  617. 				ipt -t mangle -I VPR_PREROUTING -m set --match-set "${iface}_ip" src -j MARK --set-mark "${mark}/${fwMask}" || s=1
  618. 			else
  619. 			s=1
  620. 			fi
  621. 			if ips 'create' "${iface}_mac" 'hash:mac comment' && ips 'flush' "${iface}_mac"; then
  622. 				ipt -t mangle -I VPR_PREROUTING -m set --match-set "${iface}_mac" src -j MARK --set-mark "${mark}/${fwMask}" || s=1
  623. 			else
  624. 			s=1
  625. 			fi
  626. 		fi
  627. 		if [ "$iface" = "$icmpIface" ]; then
  628. 			ipt -t mangle -I VPR_OUTPUT -p icmp -j MARK --set-xmark "${mark}/${fwMask}" || s=1
  629. 		fi
  630. 	else
  631. 		s=1
  632. 	fi
  633. 

  634. 	return $s
  635. }
  636. 

  637. process_interface(){
  638. 	local gw4 gw6 dev dev6 s=0 dscp iface="$1" action="$2" displayText
  639. 

  640. 	is_supported_interface "$iface" || return 0
  641. 	is_wan6 "$iface" && return 0
  642. 	[ $((ifaceMark)) -gt $((fwMask)) ] && return 1
  643. 

  644. 	network_get_device dev "$iface"
  645. 	[ -z "$dev" ] && config_get dev "$iface" 'ifname'
  646. 	if is_wan "$iface" && [ -n "$wanIface6" ]; then
  647. 		network_get_device dev6 "$wanIface6"
  648. 		[ -z "$dev6" ] && config_get dev6 "$wanIface6" 'ifname'
  649. 	fi
  650. 	[ -z "$dev6" ] && dev6="$dev"
  651. 

  652. 	[ -z "$ifaceTableID" ] && ifaceTableID="$wanTableID"; [ -z "$ifaceMark" ] && ifaceMark="$wanMark";
  653. 

  654. 	case "$action" in
  655. 		destroy)
  656. 			table_destroy "${ifaceTableID}" "${iface}" "${ifaceMark}"
  657. 			ifaceTableID="$((ifaceTableID + 1))"; ifaceMark="$(printf '0x%06x' $((ifaceMark + wanMark)))";
  658. 			;;
  659. 		create)
  660. 			export "mark_${iface//-/_}=$ifaceMark"; export "tid_${iface//-/_}=$ifaceTableID";
  661. 			table_destroy "${ifaceTableID}" "${iface}"
  662. 			vpr_get_gateway gw4 "$iface" "$dev"
  663. 			vpr_get_gateway6 gw6 "$iface" "$dev6"
  664. 			if [ "$iface" = "$dev" ]; then
  665. 				displayText="${iface}/${gw4:-0.0.0.0}"
  666. 			else
  667. 				displayText="${iface}/${dev}/${gw4:-0.0.0.0}"
  668. 			fi
  669. 			[ "$ipv6Enabled" -ne 0 ] && displayText="${displayText}/${gw6:-::/0}"
  670. 			output 2 "Creating table '$displayText' "
  671. 			is_default_dev "$dev" && displayText="${displayText} ${__OK__}"
  672. 			if table_create "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6"; then
  673. 				gatewaySummary="${gatewaySummary}${displayText}\\n"
  674. 				output_ok
  675. 			else
  676. 				errorSummary="${errorSummary}${_ERROR_}: Failed to set up '$displayText'\\n"
  677. 				output_fail
  678. 			fi
  679. 			ifaceTableID="$((ifaceTableID + 1))"; ifaceMark="$(printf '0x%06x' $((ifaceMark + wanMark)))";
  680. 			;;
  681. 	esac
  682. 	return $s
  683. }
  684. 

  685. convert_config(){
  686. 	local i
  687. 	[ -s "/etc/config/${packageName}" ] || return 0
  688. 	sed -i 's/ignored_interfaces/ignored_interface/g' "/etc/config/${packageName}"
  689. 	sed -i 's/supported_interfaces/supported_interface/g' "/etc/config/${packageName}"
  690. 	sed -i 's/local_addresses/local_address/g' "/etc/config/${packageName}"
  691. 	sed -i 's/local_ports/local_port/g' "/etc/config/${packageName}"
  692. 	sed -i 's/remote_addresses/remote_address/g' "/etc/config/${packageName}"
  693. 	sed -i 's/remote_ports/remote_port/g' "/etc/config/${packageName}"
  694. 	sed -i 's/ipset_enabled/remote_ipset/g' "/etc/config/${packageName}"
  695. 	sed -i 's/dnsmasq_enabled/dnsmasq_ipset/g' "/etc/config/${packageName}"
  696. 	sed -i 's/enable_control/webui_enable_column/g' "/etc/config/${packageName}"
  697. 	sed -i 's/proto_control/webui_protocol_column/g' "/etc/config/${packageName}"
  698. 	sed -i 's/chain_control/webui_chain_column/g' "/etc/config/${packageName}"
  699. 	sed -i 's/sort_control/webui_sorting/g' "/etc/config/${packageName}"
  700. 	sed -i 's/local_address/src_addr/g' "/etc/config/${packageName}"
  701. 	sed -i 's/local_port/src_port/g' "/etc/config/${packageName}"
  702. 	sed -i 's/remote_address/dest_addr/g' "/etc/config/${packageName}"
  703. 	sed -i 's/remote_port/dest_port/g' "/etc/config/${packageName}"
  704. 	sed -i 's/append_local_rules/append_src_rules/g' "/etc/config/${packageName}"
  705. 	sed -i 's/append_remote_rules/append_dest_rules/g' "/etc/config/${packageName}"
  706. 	sync
  707. 	config_load "$packageName"
  708. 	config_get_bool dnsmasqIpset        'config' 'dnsmasq_ipset' 0
  709. 	config_get      remoteIpset         'config' 'remote_ipset'
  710. 	config_get      webuiProtocol       'config' 'webui_supported_protocol'
  711. # shellcheck disable=SC2154
  712. 	if [ "$dnsmasqIpset" = "1" ]; then
  713. 		remoteIpset="dnsmasq.ipset";
  714. 	elif [ "$remoteIpset" = "1" ]; then
  715. 		remoteIpset="ipset";
  716. 	elif [ "$remoteIpset" = "0" ]; then
  717. 		remoteIpset=""
  718. 	fi
  719. 	uci -q del "$packageName.config.dnsmasq_ipset"
  720. 	uci -q set "$packageName".config.remote_ipset="$remoteIpset"
  721. # shellcheck disable=SC2154
  722. 	if [ -z "$webuiProtocol" ]; then
  723. 		uci add_list "$packageName".config.webui_supported_protocol='tcp'
  724. 		uci add_list "$packageName".config.webui_supported_protocol='udp'
  725. 		uci add_list "$packageName".config.webui_supported_protocol='tcp udp'
  726. 		uci add_list "$packageName".config.webui_supported_protocol='icmp'
  727. 		uci add_list "$packageName".config.webui_supported_protocol='all'
  728. 	fi
  729. 	uci commit "$packageName"
  730. 	sed -i 's/local_ipset/src_ipset/g' "/etc/config/${packageName}"
  731. 	sed -i 's/remote_ipset/dest_ipset/g' "/etc/config/${packageName}"
  732. 	for i in udp_proto_enabled forward_chain_enabled input_chain_enabled output_chain_enabled; do
  733. 		grep -q "$i" "/etc/config/${packageName}" && output "${_WARNING_}: $i setting is not supported in ${serviceName}.\\n"
  734. 	done
  735. }
  736. 

  737. check_config(){ local en; config_get_bool en "$1" 'enabled' 1; [ "$en" -gt 0 ] && _cfg_enabled=0; }
  738. is_config_enabled(){
  739. 	local cfg="$1" _cfg_enabled=1
  740. 	[ -n "$1" ] || return 1
  741. 	config_load "$packageName"
  742. 	config_foreach check_config "$cfg"
  743. 	return "$_cfg_enabled"
  744. }
  745. 

  746. process_user_file(){
  747. 	local path enabled shellBin="${SHELL:-/bin/ash}"
  748. 	config_get_bool enabled "$1" 'enabled' 1
  749. 	config_get      path    "$1" 'path'
  750. 	[ "$enabled" -gt 0 ] || return 0
  751. 	if [ ! -s "$path" ]; then
  752. 		errorSummary="${errorSummary}${_ERROR_}: Custom user file '$path' not found or empty\\n"
  753. 		output_fail
  754. 		return 1
  755. 	fi
  756. 	if ! $shellBin -n "$path"; then
  757. 		errorSummary="${errorSummary}${_ERROR_}: Syntax error in custom user file '$path'\\n"
  758. 		output_fail
  759. 		return 1
  760. 	fi
  761. # shellcheck disable=SC1090
  762. 	if ! . "$path"; then
  763. 		errorSummary="${errorSummary}${_ERROR_}: Error running custom user file '$path'\\n"
  764. 		output_fail
  765. 		return 1
  766. 	else
  767. 		output 2 "Running $path "
  768. 		output_ok
  769. 		return 0
  770. 	fi
  771. }
  772. 

  773. start_service() {
  774. 	local gatewaySummary errorSummary warningSummary dnsmasqStoredHash dnsmasqNewHash i modprobeStatus=0
  775. 	convert_config
  776. 	is_enabled 'on_start' || return 1
  777. 	is_wan_up || return 0
  778. 	if create_lock; then
  779. 		if [ -s "$dnsmasqFile" ]; then
  780. 			dnsmasqStoredHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')"
  781. 			rm -f "$dnsmasqFile"
  782. 		fi
  783. 

  784. 		for i in xt_set ip_set ip_set_hash_ip; do
  785. 			modprobe "$i" >/dev/null 2>/dev/null || modprobeStatus=$((modprobeStatus + 1))
  786. 		done
  787. 

  788. 		if [ "$modprobeStatus" -gt 0 ] && ! is_chaos_calmer; then
  789. 			errorSummary="${errorSummary}${_ERROR_}: Failed to load kernel modules\\n"
  790. 		fi
  791. 

  792. 		for i in PREROUTING FORWARD INPUT OUTPUT; do
  793. 			ipt -t mangle -N "VPR_${i}"
  794. 			ipt -t mangle "$insertOption" "$i" -m mark --mark "0x0/${fwMask}" -j "VPR_${i}"
  795. 		done
  796. 

  797. 		output 1 'Processing Interfaces '
  798. 		config_load 'network'; config_foreach process_interface 'interface' 'create';
  799. 		output 1 '\n'
  800. 		if is_config_enabled 'policy'; then
  801. 			output 1 'Processing Policies '
  802. 			config_load "$packageName"; config_foreach process_policy 'policy';
  803. 			output 1 '\n'
  804. 		fi
  805. 		if is_config_enabled 'include'; then
  806. 			output 1 'Processing User File(s) '
  807. 			config_load "$packageName"; config_foreach process_user_file 'include';
  808. 			output 1 '\n'
  809. 		fi
  810. 

  811. 		if [ -s "$dnsmasqFile" ]; then
  812. 			dnsmasqNewHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')"
  813. 		fi
  814. 		[ "$dnsmasqNewHash" != "$dnsmasqStoredHash" ] && dnsmasq_restart
  815. 

  816. 		if [ -z "$gatewaySummary" ]; then
  817. 			errorSummary="${errorSummary}${_ERROR_}: failed to set up any gateway\\n"
  818. 		else
  819. 			output "$serviceName started with gateways:\\n${gatewaySummary}"
  820. 			[ -n "$errorSummary" ] && output "${errorSummary}"
  821. 			[ -n "$warningSummary" ] && output "${warningSummary}"
  822. 		fi
  823. 		procd_open_instance "main"
  824. 		procd_set_param command /bin/true
  825. 		procd_set_param stdout 1
  826. 		procd_set_param stderr 1
  827. 		procd_open_data
  828. 		json_add_array 'status'
  829. 		json_add_object ''
  830. 		[ -n "$gatewaySummary" ] && json_add_string gateway "$gatewaySummary"
  831. 		[ -n "$errorSummary" ] && json_add_string error "$errorSummary"
  832. 		[ -n "$warningSummary" ] && json_add_string warning "$warningSummary"
  833. 		if [ "$strictMode" -ne 0 ] && [ "${gatewaySummary//0.0.0.0}" != "${gatewaySummary}" ]; then
  834. 			json_add_string mode "strict"
  835. 		fi
  836. 		json_close_object
  837. 		json_close_array
  838. 		procd_close_data
  839. 		procd_close_instance
  840. 		remove_lock
  841. 	else
  842. 		output "$serviceName: another instance of ${packageName} is currently running "
  843. 		output_failn
  844. 		return 1
  845. 	fi
  846. }
  847. 

  848. restart() { reload; }
  849. restart_service() { reload; }
  850. 

  851. stop_service() {
  852. 	local i
  853. 	iptables -t mangle -L | grep -q VPR_PREROUTING || return 0
  854. 	if create_lock; then
  855. 		load_package_config
  856. 		for i in PREROUTING FORWARD INPUT OUTPUT; do
  857. 			ipt -t mangle -D "${i}" -m mark --mark "0x0/${fwMask}" -j "VPR_${i}"
  858. 			ipt -t mangle -F "VPR_${i}"; ipt -t mangle -X "VPR_${i}";
  859. 		done
  860. 		config_load 'network'; config_foreach process_interface 'interface' 'destroy'
  861. 		unset ifaceTableID; unset ifaceMark;
  862. 		if [ -s "$dnsmasqFile" ]; then
  863. 			rm -f "$dnsmasqFile"
  864. 			dnsmasq_restart
  865. 		fi
  866. 		if [ "$serviceEnabled" -ne 0 ]; then
  867. 			output "$serviceName stopped "; output_okn;
  868. 		fi
  869. 		remove_lock
  870. 	else
  871. 		output "$serviceName: another instance of ${packageName} is currently running "; output_failn;
  872. 		return 1
  873. 	fi
  874. }
  875. 

  876. # shellcheck disable=SC2119
  877. service_triggers() {
  878. 	local n
  879. 	is_enabled || return 1
  880. 

  881. 	procd_open_validate
  882. 		validate_config
  883. 		validate_policy
  884. 		validate_include
  885. 	procd_close_validate
  886. 

  887. 	procd_add_reload_trigger 'firewall' 'openvpn' 'vpn-policy-routing'
  888. 	procd_open_trigger
  889. 		for n in $ifSupported; do procd_add_reload_interface_trigger "$n"; procd_add_interface_trigger "interface.*" "$n" /etc/init.d/${packageName} reload; done;
  890. 	procd_close_trigger
  891. 

  892. 	if [ "$verbosity" -eq 2 ]; then
  893. 		output "$serviceName monitoring interfaces: $ifSupported.\\n"
  894. 	fi
  895. }
  896. 

  897. input() { local data; while read -r data; do echo "$data" | tee -a /var/${packageName}-support; done; }
  898. status_service() { support "$@"; }
  899. support() {
  900. 	local dist vers out id s param status set_d set_p tableCount i=0 dev dev6
  901. 	is_enabled
  902. 

  903. 	json_load "$(ubus call system board)"; json_select release; json_get_var dist distribution; json_get_var vers version
  904. 	if [ -n "$wanIface4" ]; then
  905. 		network_get_gateway wanGW4 "$wanIface4"
  906. 		dev="$(uci -q get network."${wanIface4}".ifname)"
  907. 	fi
  908. 	if [ -n "$wanIface6" ]; then
  909. 		dev6="$(uci -q get network."${wanIface6}".ifname)"
  910. 		wanGW6=$(ip -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}')
  911. 		[ "$wanGW6" = "default" ] && wanGW6=$(ip -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}')
  912. 	fi
  913. 	while [ "${1:0:1}" = "-" ]; do param="${1//-/}"; export "set_$param=1"; shift; done
  914. 	[ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support"
  915. 	status="$serviceName running on $dist $vers."
  916. 	[ -n "$wanIface4" ] && status="$status WAN (IPv4): $wanIface4/dev/${wanGW4:-0.0.0.0}."
  917. 	[ -n "$wanIface6" ] && status="$status WAN (IPv6): $wanIface6/dev6/${wanGW6:-::/0}."
  918. 	{
  919. 		echo "$status"
  920. 		echo "============================================================"
  921. 			dnsmasq --version 2>/dev/null | sed '/^$/,$d'
  922. 		[ -n "$1" ] && {
  923. 			echo "============================================================"
  924. 				echo "Resolving domains"
  925. 				while [ -n "$1" ]; do echo "$1: $(resolveip "$1" | tr '\n' ' ')"; shift; done; }
  926. 		echo "============================================================"
  927. 			echo "Routes/IP Rules"
  928. 			tableCount=$(ip rule list | grep -c 'fwmark') || tableCount=0
  929. 			if [ -n "$set_d" ]; then route; else route | grep '^default'; fi
  930. 			if [ -n "$set_d" ]; then ip rule list; fi # || ip rule list | grep 'fwmark'
  931. 			i=0; while [ $i -lt $tableCount ]; do echo "IPv4 Table $((wanTableID + i)): $(ip route show table $((wanTableID + i)))"; echo "IPv4 Table $((wanTableID + i)) Rules:"; ip rule list | grep $((wanTableID + i)); i=$((i + 1)); done
  932. 			[ "$ipv6Enabled" -ne 0 ] && {
  933. 				i=0; while [ $i -lt $tableCount ]; do
  934. 					ip -6 route show table $((wanTableID + i)) | while read -r param; do echo "IPv6 Table $((wanTableID + i)): $param"; done
  935. 					i=$((i + 1))
  936. 				done; }
  937. 		echo "============================================================"
  938. 			if [ -z "$set_d" ]; then echo "IP Tables PREROUTING"; else echo "IP Tables"; fi
  939. 			if [ -z "$set_d" ]; then iptables -v -t mangle -S VPR_PREROUTING; else iptables -L -t mangle; fi
  940. 		[ "$ipv6Enabled" -ne 0 ] && {
  941. 		echo "============================================================"
  942. 			if [ -z "$set_d" ]; then echo "IP6 Tables PREROUTING"; else echo "IP6 Tables"; fi
  943. 			if [ -z "$set_d" ]; then ip6tables -v -t mangle -S VPR_PREROUTING; else ip6tables -L -t mangle; fi
  944. 		}
  945. 		[ -z "$set_d" ] && { echo "============================================================"
  946. 			echo "IP Tables FORWARD"
  947. 			iptables -v -t mangle -S VPR_FORWARD
  948. 		[ "$ipv6Enabled" -ne 0 ] && {
  949. 		echo "============================================================"
  950. 			echo "IPv6 Tables FORWARD"
  951. 			ip6tables -v -t mangle -S VPR_FORWARD
  952. 		};}
  953. 		[ -z "$set_d" ] && { echo "============================================================"
  954. 			echo "IP Tables INPUT"
  955. 			iptables -v -t mangle -S VPR_INPUT
  956. 		[ "$ipv6Enabled" -ne 0 ] && {
  957. 		echo "============================================================"
  958. 			echo "IPv6 Tables INPUT"
  959. 			ip6tables -v -t mangle -S VPR_INPUT
  960. 		};}
  961. 		[ -z "$set_d" ] && { echo "============================================================"
  962. 			echo "IP Tables OUTPUT"
  963. 			iptables -v -t mangle -S VPR_OUTPUT
  964. 		[ "$ipv6Enabled" -ne 0 ] && {
  965. 		echo "============================================================"
  966. 			echo "IPv6 Tables OUTPUT"
  967. 			ip6tables -v -t mangle -S VPR_OUTPUT
  968. 		};}
  969. 		echo "============================================================"
  970. 			echo "Current ipsets"
  971. 			ipset save
  972. 		if [ -s "$dnsmasqFile" ]; then
  973. 			echo "============================================================"
  974. 				echo "DNSMASQ ipsets"
  975. 				cat "$dnsmasqFile"
  976. 		fi
  977. 		echo "============================================================"
  978. 	} | input
  979. 	if [ -n "$set_p" ]; then
  980. 		printf "%b" "Pasting to paste.ee... "
  981. 		if is_installed 'curl' && is_installed 'libopenssl' && is_installed 'ca-bundle'; then
  982. 			json_init; json_add_string "description" "${packageName}-support"
  983. 			json_add_array "sections"; json_add_object '0'
  984. 			json_add_string "name" "$(uci -q get system.@system[0].hostname)"
  985. 			json_add_string "contents" "$(cat /var/${packageName}-support)"
  986. 			json_close_object; json_close_array; payload=$(json_dump)
  987. 			out=$(curl -s -k "https://api.paste.ee/v1/pastes" -X "POST" -H "Content-Type: application/json" -H "X-Auth-Token:uVOJt6pNqjcEWu7qiuUuuxWQafpHhwMvNEBviRV2B" -d "$payload")
  988. 			json_load "$out"; json_get_var id id; json_get_var s success
  989. 			[ "$s" = "1" ] && printf "%b" "https://paste.ee/p/$id $__OK__" || printf "%b" "$__FAIL__"
  990. 			[ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support"
  991. 		else
  992. 			printf "%b" "$__FAIL__\\n"
  993. 			printf "%b" "$_ERROR_: curl, libopenssl or ca-bundle were not found!\\nRun 'opkg update; opkg install curl libopenssl ca-bundle' to install them.\\n"
  994. 		fi
  995. 	else
  996. 		printf "%b" "Your support details have been logged to '/var/${packageName}-support'. $__OK__\\n"
  997. 	fi
  998. }
  999. 

  1000. # shellcheck disable=SC2120
  1001. validate_config() {
  1002. 	uci_validate_section "${packageName}" config "${1}" \
  1003. 		'enabled:bool:0' \
  1004. 		'verbosity:range(0,2):1' \
  1005. 		'strict_enforcement:bool:1' \
  1006. 		'src_ipset:bool:0' \
  1007. 		'dest_ipset:string' \
  1008. 		'ipv6_enabled:bool:0' \
  1009. 		'supported_interface:list(string)' \
  1010. 		'ignored_interface:list(string)' \
  1011. 		'boot_timeout:integer:30' \
  1012. 		'iptables_rule_option:or("", "append", "insert")' \
  1013. 		'iprule_enabled:bool:0' \
  1014. 		'webui_enable_column:bool:0' \
  1015. 		'webui_protocol_column:bool:0' \
  1016. 		'webui_supported_protocol:list(string)' \
  1017. 		'webui_chain_column:bool:0' \
  1018. 		'webui_sorting:bool:1' \
  1019. 		'icmp_interface:string' \
  1020. 		'wan_tid:integer:201' \
  1021. 		'wan_fw_mark:hex(8)' \
  1022. 		'fw_mask:hex(8)'
  1023. }
  1024. 

  1025. # shellcheck disable=SC2120
  1026. validate_policy() {
  1027. 	uci_validate_section "${packageName}" policy "${1}" \
  1028. 		'name:string' \
  1029. 		'enabled:bool:0' \
  1030. 		'interface:network' \
  1031. 		'proto:or(string)' \
  1032. 		'chain:or("", "PREROUTING", "FORWARD", "INPUT", "OUTPUT")' \
  1033. 		'src_addr:list(neg(or(host,network,macaddr)))' \
  1034. 		'src_port:list(neg(or(portrange, string)))' \
  1035. 		'dest_addr:list(neg(host))' \
  1036. 		'dest_port:list(neg(or(portrange, string)))'
  1037. }
  1038. 

  1039. # shellcheck disable=SC2120
  1040. validate_include() {
  1041. 	uci_validate_section "${packageName}" include "${1}" \
  1042. 		'path:string' \
  1043. 		'enabled:bool:0'
  1044. }