From 7bb2ccd4e173486d1c51a72374c55398c9c7e725 Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Mon, 4 May 2020 22:47:32 +0000 Subject: [PATCH] vpn-policy-routing: support phys-dev policies Signed-off-by: Stan Grishin --- net/vpn-policy-routing/Makefile | 2 +- net/vpn-policy-routing/files/README.md | 14 ++++++++++++-- .../files/vpn-policy-routing.init | 4 ++-- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/net/vpn-policy-routing/Makefile b/net/vpn-policy-routing/Makefile index 0b83dd5ab..5ae1077f1 100644 --- a/net/vpn-policy-routing/Makefile +++ b/net/vpn-policy-routing/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=vpn-policy-routing PKG_VERSION:=0.2.1 -PKG_RELEASE:=9 +PKG_RELEASE:=13 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Stan Grishin diff --git a/net/vpn-policy-routing/files/README.md b/net/vpn-policy-routing/files/README.md index 240f2ea2a..55ce64ad2 100644 --- a/net/vpn-policy-routing/files/README.md +++ b/net/vpn-policy-routing/files/README.md @@ -24,6 +24,14 @@ This service allows you to define rules (policies) for routing traffic via WAN o - You can mix the IP addresses/subnets and device (or domain) names in one field separating them by space (like this: ```66.220.2.74 he.net tunnelbroker.net```). - See [Policy Options](#policy-options) section for more information. +### Domain-Based Policies + +- Policies based on (remote) domain names can be processed in different ways, please review the [Policy Options](#policy-options) section and [Footnotes/Known Issues](#footnotesknown-issues) section, specifically [#5](#footnote5) and any other information in that section relevant to domain-based routing/DNS. + +### Physical Device Policies + +- Policies based on a local physical device (like a specially created wlan), please review the [Policy Options](#policy-options) section and [Footnotes/Known Issues](#footnotesknown-issues) section, specifically [#6](#footnote6) and any other information in that section relevant to handling physical device. + ### DSCP Tag-Based Policies You can also set policies for traffic with specific DSCP tag. On Windows 10, for example, you can mark traffic from specific apps with DSCP tags (instructions for tagging specific app traffic in Windows 10 can be found [here](http://serverfault.com/questions/769843/cannot-set-dscp-on-windows-10-pro-via-group-policy)). @@ -175,7 +183,7 @@ The ```src_addr```, ```src_port```, ```dest_addr``` and ```dest_port``` options |**name**||Policy name, it **must** be set.| |enabled|1|Enable/disable policy. To display the ```Enable``` checkbox column for policies in the WebUI, make sure to select ```Enabled``` for ```Show Enable Column``` in the ```Web UI``` tab.| |**interface**||Policy interface, it **must** be set.| -|src_addr||List of space-separated local/source IP addresses, CIDRs, hostnames or mac addresses (colon-separated). You can also specify a local interface (like a specially created wlan) prepended by an ```@``` symbol.| +|src_addr||List of space-separated local/source IP addresses, CIDRs, hostnames or mac addresses (colon-separated). You can also specify a local physical device (like a specially created wlan) prepended by an ```@``` symbol.| |src_port||List of space-separated local/source ports or port-ranges.| |dest_addr||List of space-separated remote/target IP addresses, CIDRs or hostnames/domain names.| |dest_port||List of space-separated remote/target ports or port-ranges.| @@ -738,6 +746,8 @@ config openvpn 'vpnc' 5. When using the ```dnsmasq.ipset``` option, please make sure to flush the DNS cache of the local devices, otherwise domain policies may not work until you do. If you're not sure how to flush the DNS cache (or if the device/OS doesn't offer an option to flush its DNS cache), reboot your local devices when starting to use the service and/or when connecting data-capable device to your WiFi. +6. When using the policies targeting physical devices, make sure you have the following packages installed: ```kmod-br-netfilter```, ```kmod-ipt-physdev``` and ```iptables-mod-physdev```. + ### Multiple OpenVPN Clients If you use multiple OpenVPN clients on your router, the order in which their devices are named (tun0, tun1, etc) is not guaranteed by OpenWrt/LEDE Project. The following settings are recommended in this case. @@ -871,4 +881,4 @@ WARNING: while paste.ee uploads are unlisted/not indexed at the web-site, they a ## Thanks -I'd like to thank everyone who helped create, test and troubleshoot this service. Without contributions from [@hnyman](https://github.com/hnyman), [@dibdot](https://github.com/dibdot), [@danrl](https://github.com/danrl), [@tohojo](https://github.com/tohojo), [@cybrnook](https://github.com/cybrnook), [@nidstigator](https://github.com/nidstigator), [@AndreBL](https://github.com/AndreBL), [@dz0ny](https://github.com/dz0ny), rigorous testing/bugreporting by [@dziny](https://github.com/dziny), [@bluenote73](https://github.com/bluenote73), [@buckaroo](https://github.com/pgera), [@Alexander-r](https://github.com/Alexander-r), [n8v8R](https://github.com/n8v8R), [psherman](https://forum.openwrt.org/u/psherman), multiple contributions from [dl12345](https://github.com/dl12345), [trendy](https://forum.openwrt.org/u/trendy) and feedback from other OpenWrt users it wouldn't have been possible. Wireguard/IPv6 support is courtesy of [Mullvad](https://www.mullvad.net) and [IVPN](https://www.ivpn.net/). +I'd like to thank everyone who helped create, test and troubleshoot this service. Without contributions from [@hnyman](https://github.com/hnyman), [@dibdot](https://github.com/dibdot), [@danrl](https://github.com/danrl), [@tohojo](https://github.com/tohojo), [@cybrnook](https://github.com/cybrnook), [@nidstigator](https://github.com/nidstigator), [@AndreBL](https://github.com/AndreBL), [@dz0ny](https://github.com/dz0ny), rigorous testing/bugreporting by [@dziny](https://github.com/dziny), [@bluenote73](https://github.com/bluenote73), [@buckaroo](https://github.com/pgera), [@Alexander-r](https://github.com/Alexander-r), [n8v8R](https://github.com/n8v8R), [psherman](https://forum.openwrt.org/u/psherman), [@Vale-max](https://github.com/Vale-max), multiple contributions from [dl12345](https://github.com/dl12345) and [trendy](https://forum.openwrt.org/u/trendy) and feedback from other OpenWrt users it wouldn't have been possible. Wireguard/IPv6 support is courtesy of [Mullvad](https://www.mullvad.net) and [IVPN](https://www.ivpn.net/). diff --git a/net/vpn-policy-routing/files/vpn-policy-routing.init b/net/vpn-policy-routing/files/vpn-policy-routing.init index 78f445522..3d7851c07 100755 --- a/net/vpn-policy-routing/files/vpn-policy-routing.init +++ b/net/vpn-policy-routing/files/vpn-policy-routing.init @@ -122,7 +122,7 @@ is_ipv6_global() { [ "${1:0:4}" = "2001" ]; } # is_ipv6_global() { is_ipv6 "$1" && ! is_ipv6_link_local "$1" && ! is_ipv6_link_local "$1"; } is_netmask() { local ip="${1%/*}"; [ "$ip" != "$1" ] && is_ipv4 "$ip"; } is_domain() { [ "${1//[a-zA-Z-]}" != "$1" ]; } -is_phys_dev() { [ "${1:0:1}" = "@" ] && ip -4 r | grep -q "^${1:1}"; } +is_phys_dev() { [ "${1:0:1}" = "@" ] && ip l show | grep -E -q "^\\d+\\W+${1:1}"; } is_turris() { /bin/ubus -S call system board | /bin/grep 'Turris' | /bin/grep -q '15.05'; } is_chaos_calmer() { ubus -S call system board | grep -q 'Chaos Calmer'; } dnsmasq_kill() { killall -q -HUP dnsmasq; } @@ -369,7 +369,7 @@ insert_policy() { unset valueNeg; value="$laddr"; fi if is_phys_dev "$value"; then - param="$param $valueNeg -i ${value:1}" + param="$param $valueNeg -m physdev --physdev-in ${value:1}" elif is_mac_address "$value"; then param="$param -m mac $valueNeg --mac-source $value" elif [ "${appendLocalPolicy//-d}" != "$appendLocalPolicy" ] && [ -n "$raddr" ]; then