mwan3: Split ipsets into separate ipv4 and ipv6 sets

Nft does not directly support ipsets, nft sets must be used instead. The mwan3 uses ipsets for certain tasks. They can be combinded. So called an ipset of ipsets. This list type is not available in nft. So that mwan3 could be ported to nft in the feature, the ipset handling should be split. So we have for each ipset an iptables rule. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
3 years ago · 408458a72f
--- a/net/mwan3/files/etc/init.d/mwan3
+++ b/net/mwan3/files/etc/init.d/mwan3
@ -31,6 +31,7 @@ start_service() {
 	config_foreach start_tracker interface
 	mwan3_update_iface_to_table
 	mwan3_set_dynamic_ipset
 	mwan3_set_connected_ipset
 	mwan3_set_custom_ipset
 	mwan3_set_general_rules
--- a/net/mwan3/files/lib/mwan3/mwan3.sh
+++ b/net/mwan3/files/lib/mwan3/mwan3.sh
@ -114,7 +114,7 @@ mwan3_set_custom_ipset_v4()
 	for custom_network_v4 in $($IP4 route list table "$1" | awk '{print $1}' | grep -E "$IPv4_REGEX"); do
 		LOG notice "Adding network $custom_network_v4 from table $1 to mwan3_custom_v4 ipset"
 		mwan3_push_update -! add mwan3_custom_v4 "$custom_network_v4"
 		mwan3_push_update -! add mwan3_custom_ipv4 "$custom_network_v4"
 	done
 }
@ -124,7 +124,7 @@ mwan3_set_custom_ipset_v6()
 	for custom_network_v6 in $($IP6 route list table "$1" | awk '{print $1}' | grep -E "$IPv6_REGEX"); do
 		LOG notice "Adding network $custom_network_v6 from table $1 to mwan3_custom_v6 ipset"
 		mwan3_push_update -! add mwan3_custom_v6 "$custom_network_v6"
 		mwan3_push_update -! add mwan3_custom_ipv6 "$custom_network_v6"
 	done
 }
@ -132,17 +132,16 @@ mwan3_set_custom_ipset()
 {
 	local update=""
 	mwan3_push_update -! create mwan3_custom_v4 hash:net
 	mwan3_push_update -! create mwan3_custom_ipv4 hash:net
 	mwan3_push_update flush mwan3_custom_ipv4
 	config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v4
 	if [ $NO_IPV6 -eq 0 ]; then
 		mwan3_push_update -! create mwan3_custom_v6 hash:net family inet6
 		mwan3_push_update -! create mwan3_custom_ipv6 hash:net family inet6
 		mwan3_push_update flush mwan3_custom_ipv6
 		config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v6
 	fi
 	mwan3_push_update -! create mwan3_connected list:set
 	mwan3_push_update -! add mwan3_connected mwan3_custom_v4
 	[ $NO_IPV6 -eq 0 ] && mwan3_push_update -! add mwan3_connected mwan3_custom_v6
 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_custom_ipset: $error"
 }
@ -153,8 +152,8 @@ mwan3_set_connected_ipv4()
 	local candidate_list cidr_list
 	local update=""
 	mwan3_push_update -! create mwan3_connected_v4 hash:net
 	mwan3_push_update flush mwan3_connected_v4
 	mwan3_push_update -! create mwan3_connected_ipv4 hash:net
 	mwan3_push_update flush mwan3_connected_ipv4
 	candidate_list=""
 	cidr_list=""
@ -172,14 +171,14 @@ mwan3_set_connected_ipv4()
 	done
 	for connected_network_v4 in $cidr_list; do
 		mwan3_push_update -! add mwan3_connected_v4 "$connected_network_v4"
 		mwan3_push_update -! add mwan3_connected_ipv4 "$connected_network_v4"
 	done
 	for connected_network_v4 in $candidate_list; do
 		mwan3_push_update -! add mwan3_connected_v4 "$connected_network_v4"
 		mwan3_push_update -! add mwan3_connected_ipv4 "$connected_network_v4"
 	done
 	mwan3_push_update add mwan3_connected_v4 224.0.0.0/3
 	mwan3_push_update -! add mwan3_connected mwan3_connected_v4
 	mwan3_push_update add mwan3_connected_ipv4 224.0.0.0/3
 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipv4: $error"
 }
@ -189,14 +188,13 @@ mwan3_set_connected_ipv6()
 	local update=""
 	[ $NO_IPV6 -eq 0 ] || return
 	mwan3_push_update -! create mwan3_connected_v6 hash:net family inet6
 	mwan3_push_update flush mwan3_connected_v6
 	mwan3_push_update -! create mwan3_connected_ipv6 hash:net family inet6
 	mwan3_push_update flush mwan3_connected_ipv6
 	for connected_network_v6 in $($IP6 route | awk '{print $1}' | grep -E "$IPv6_REGEX"); do
 		mwan3_push_update -! add mwan3_connected_v6 "$connected_network_v6"
 		mwan3_push_update -! add mwan3_connected_ipv6 "$connected_network_v6"
 	done
 	mwan3_push_update -! add mwan3_connected mwan3_connected_v6
 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipv6: $error"
 }
@ -205,20 +203,33 @@ mwan3_set_connected_ipset()
 	local error
 	local update=""
 	mwan3_push_update -! create mwan3_connected list:set
 	mwan3_push_update flush mwan3_connected
 	mwan3_push_update -! create mwan3_dynamic_v4 hash:net
 	mwan3_push_update -! add mwan3_connected mwan3_dynamic_v4
 	mwan3_push_update -! create mwan3_connected_ipv4 hash:net
 	mwan3_push_update flush mwan3_connected_ipv4
 	if [ $NO_IPV6 -eq 0 ]; then
 		mwan3_push_update -! create mwan3_dynamic_v6 hash:net family inet6
 		mwan3_push_update -! add mwan3_connected mwan3_dynamic_v6
 		mwan3_push_update -! create mwan3_connected_ipv6 hash:net family inet6
 		mwan3_push_update flush mwan3_connected_ipv6
 	fi
 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipset: $error"
 }
 mwan3_set_dynamic_ipset()
 {
 	local error
 	local update=""
 	mwan3_push_update -! create mwan3_dynamic_ipv4 list:set
 	mwan3_push_update flush mwan3_dynamic_ipv4
 	if [ $NO_IPV6 -eq 0 ]; then
 		mwan3_push_update -! create mwan3_dynamic_ipv6 hash:net family inet6
 		mwan3_push_update flush mwan3_dynamic_ipv6
 	fi
 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_dynamic_ipset: $error"
 }
 mwan3_set_general_rules()
 {
 	local IP
@ -239,7 +250,8 @@ mwan3_set_general_rules()
 mwan3_set_general_iptables()
 {
 	local IPT current update error
 	local IPT current update error family
 	for IPT in "$IPT4" "$IPT6"; do
 		[ "$IPT" = "$IPT6" ] && [ $NO_IPV6 -ne 0 ] && continue
 		current="$($IPT -S)"$'\n'
@ -248,13 +260,23 @@ mwan3_set_general_iptables()
 			mwan3_push_update -N mwan3_ifaces_in
 		fi
 		if [ -n "${current##*-N mwan3_connected*}" ]; then
 			mwan3_push_update -N mwan3_connected
 			mwan3_push_update -A mwan3_connected \
 					  -m set --match-set mwan3_connected dst \
 					  -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
 		if [ "$IPT" = "$IPT6" ]; then
 			family="ipv6"
 		else
 			family="ipv4"
 		fi
 		for chain in custom connected dynamic; do
 			echo "${current}" | grep -q "\-N mwan3_${chain}_${family}$"
 			local ret="$?"
 			if [ "$ret" = 1 ]; then
 				mwan3_push_update -N mwan3_${chain}_${family}
 				mwan3_push_update -A mwan3_${chain}_${family} \
 					-m set --match-set mwan3_${chain}_${family} dst \
 					-j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
 			fi
 		done
 		if [ -n "${current##*-N mwan3_rules*}" ]; then
 			mwan3_push_update -N mwan3_rules
 		fi
@ -291,17 +313,24 @@ mwan3_set_general_iptables()
 			mwan3_push_update -A mwan3_hook \
 					  -m mark --mark 0x0/$MMX_MASK \
 					  -j mwan3_ifaces_in
 			mwan3_push_update -A mwan3_hook \
 					  -m mark --mark 0x0/$MMX_MASK \
 					  -j mwan3_connected
 			for chain in custom connected dynamic; do
 				mwan3_push_update -A mwan3_hook \
 					-m mark --mark 0x0/$MMX_MASK \
 					-j mwan3_${chain}_${family}
 			done
 			mwan3_push_update -A mwan3_hook \
 					  -m mark --mark 0x0/$MMX_MASK \
 					  -j mwan3_rules
 			mwan3_push_update -A mwan3_hook \
 					  -j CONNMARK --save-mark --nfmask "$MMX_MASK" --ctmask "$MMX_MASK"
 			mwan3_push_update -A mwan3_hook \
 					  -m mark ! --mark $MMX_DEFAULT/$MMX_MASK \
 					  -j mwan3_connected
 			for chain in custom connected dynamic; do
 				mwan3_push_update -A mwan3_hook \
 					-m mark ! --mark $MMX_DEFAULT/$MMX_MASK \
 					-j mwan3_${chain}_${family}
 			done
 		fi
 		if [ -n "${current##*-A PREROUTING -j mwan3_hook*}" ]; then
@ -351,12 +380,14 @@ mwan3_create_iface_iptables()
 		mwan3_push_update -F "mwan3_iface_in_$1"
 	fi
 	mwan3_push_update -A "mwan3_iface_in_$1" \
 			  -i "$2" \
 			  -m set --match-set mwan3_connected src \
 			  -m mark --mark "0x0/$MMX_MASK" \
 			  -m comment --comment "default" \
 			  -j MARK --set-xmark "$MMX_DEFAULT/$MMX_MASK"
 	for chain in custom connected dynamic; do
 		mwan3_push_update -A "mwan3_iface_in_$1" \
 			-i "$2" \
 			-m set --match-set mwan3_${chain}_${family} src \
 			-m mark --mark "0x0/$MMX_MASK" \
 			-m comment --comment "default" \
 			-j MARK --set-xmark "$MMX_DEFAULT/$MMX_MASK"
 	done
 	mwan3_push_update -A "mwan3_iface_in_$1" \
 			  -i "$2" \
 			  -m mark --mark "0x0/$MMX_MASK" \
@ -692,17 +723,22 @@ mwan3_set_policies_iptables()
 mwan3_set_sticky_iptables()
 {
 	local rule="${1}"
 	local interface="${2}"
 	local ipv="${3}"
 	local policy="${4}"
 	local id iface
 	for iface in $(echo "$current" | grep "^-A $policy" | cut -s -d'"' -f2 | awk '{print $1}'); do
 		if [ "$iface" = "$1" ]; then
 		if [ "$iface" = "$interface" ]; then
 			mwan3_get_iface_id id "$1"
 			mwan3_get_iface_id id "$iface"
 			[ -n "$id" ] || return 0
 			if [ -z "${current##*-N mwan3_iface_in_$1$'\n'*}" ]; then
 			if [ -z "${current##*-N mwan3_iface_in_${iface}$'\n'*}" ]; then
 				mwan3_push_update -I "mwan3_rule_$rule" \
 						  -m mark --mark "$(mwan3_id2mask id MMX_MASK)/$MMX_MASK" \
 						  -m set ! --match-set "mwan3_sticky_$rule" src,src \
 						  -m set ! --match-set "mwan3_sticky_${ipv}_${rule}" src,src \
 						  -j MARK --set-xmark "0x0/$MMX_MASK"
 				mwan3_push_update -I "mwan3_rule_$rule" \
 						  -m mark --mark "0/$MMX_MASK" \
@ -721,21 +757,15 @@ mwan3_set_sticky_ipset()
 	local error
 	local update=""
 	mwan3_push_update -! create "mwan3_sticky_v4_$rule" \
 	mwan3_push_update -! create "mwan3_sticky_ipv4_$rule" \
 		hash:ip,mark markmask "$mmx" \
 		timeout "$timeout"
 	[ $NO_IPV6 -eq 0 ] &&
 		mwan3_push_update -! create "mwan3_sticky_v6_$rule" \
 		mwan3_push_update -! create "mwan3_sticky_ipv6_$rule" \
 			hash:ip,mark markmask "$mmx" \
 			timeout "$timeout" family inet6
 	mwan3_push_update -! create "mwan3_sticky_$rule" list:set
 	mwan3_push_update -! add "mwan3_sticky_$rule" "mwan3_sticky_v4_$rule"
 	[ $NO_IPV6 -eq 0 ] &&
 		mwan3_push_update -! add "mwan3_sticky_$rule" "mwan3_sticky_v6_$rule"
 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_sticky_ipset_${rule}: $error"
 }
@ -836,7 +866,7 @@ mwan3_set_user_iptables_rule()
 		fi
 		mwan3_push_update -F "mwan3_rule_$1"
 		config_foreach mwan3_set_sticky_iptables interface $ipv
 		config_foreach mwan3_set_sticky_iptables interface $ipv "$policy"
 		mwan3_push_update -A "mwan3_rule_$1" \
@ -844,10 +874,10 @@ mwan3_set_user_iptables_rule()
 				  -j "$policy"
 		mwan3_push_update -A "mwan3_rule_$1" \
 				  -m mark ! --mark 0xfc00/0xfc00 \
 				  -j SET --del-set "mwan3_sticky_$rule" src,src
 				  -j SET --del-set "mwan3_sticky_${ipv}_${rule}" src,src
 		mwan3_push_update -A "mwan3_rule_$1" \
 				  -m mark ! --mark 0xfc00/0xfc00 \
 				  -j SET --add-set "mwan3_sticky_$rule" src,src
 				  -j SET --add-set "mwan3_sticky_${ipv}_${rule}" src,src
 		policy="mwan3_rule_$1"
 	fi
 	if [ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ]; then
@ -1132,15 +1162,15 @@ mwan3_report_policies_v6()
 mwan3_report_connected_v4()
 {
 	if [ -n "$($IPT4 -S mwan3_connected 2> /dev/null)" ]; then
 		$IPS -o save list mwan3_connected_v4 | grep add | cut -d " " -f 3
 	if [ -n "$($IPT4 -S mwan3_connected_ipv4 2> /dev/null)" ]; then
 		$IPS -o save list mwan3_connected_ipv4 | grep add | cut -d " " -f 3
 	fi
 }
 mwan3_report_connected_v6()
 {
 	if [ -n "$($IPT6 -S mwan3_connected 2> /dev/null)" ]; then
 		$IPS -o save list mwan3_connected_v6 | grep add | cut -d " " -f 3
 	if [ -n "$($IPT6 -S mwan3_connected_ipv6 2> /dev/null)" ]; then
 		$IPS -o save list mwan3_connected_ipv6 | grep add | cut -d " " -f 3
 	fi
 }