From 33e70606c6167bb2da52255496787aadd5746934 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Wed, 23 Feb 2022 12:20:26 +0100 Subject: [PATCH 01/14] mwan3: update iptables dependencies Signed-off-by: Florian Eckert --- net/mwan3/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/net/mwan3/Makefile b/net/mwan3/Makefile index 6b5e8ce90..2d60657ff 100644 --- a/net/mwan3/Makefile +++ b/net/mwan3/Makefile @@ -25,6 +25,7 @@ define Package/mwan3 +ip \ +ipset \ +iptables \ + +IPV6:ip6tables \ +iptables-mod-conntrack-extra \ +iptables-mod-ipopt \ +jshn From a49d0953dc13c1258fbb55630d22d56d5e1c1f70 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Tue, 8 Mar 2022 10:15:04 +0100 Subject: [PATCH 02/14] mwan3: move command definitions to common.sh Signed-off-by: Florian Eckert --- net/mwan3/files/etc/hotplug.d/iface/15-mwan3 | 1 - net/mwan3/files/etc/init.d/mwan3 | 1 - net/mwan3/files/lib/mwan3/common.sh | 6 ++++++ net/mwan3/files/lib/mwan3/mwan3.sh | 6 +----- net/mwan3/files/usr/libexec/rpcd/mwan3 | 4 ---- net/mwan3/files/usr/sbin/mwan3 | 1 - net/mwan3/files/usr/sbin/mwan3rtmon | 1 - 7 files changed, 7 insertions(+), 13 deletions(-) diff --git a/net/mwan3/files/etc/hotplug.d/iface/15-mwan3 b/net/mwan3/files/etc/hotplug.d/iface/15-mwan3 index 7c107fc01..6eac6309a 100644 --- a/net/mwan3/files/etc/hotplug.d/iface/15-mwan3 +++ b/net/mwan3/files/etc/hotplug.d/iface/15-mwan3 @@ -3,7 +3,6 @@ . /lib/functions.sh . /lib/functions/network.sh . /lib/mwan3/mwan3.sh -. /lib/mwan3/common.sh initscript=/etc/init.d/mwan3 . /lib/functions/procd.sh diff --git a/net/mwan3/files/etc/init.d/mwan3 b/net/mwan3/files/etc/init.d/mwan3 index 560621516..47980ef65 100755 --- a/net/mwan3/files/etc/init.d/mwan3 +++ b/net/mwan3/files/etc/init.d/mwan3 @@ -1,6 +1,5 @@ #!/bin/sh /etc/rc.common -. "${IPKG_INSTROOT}/lib/mwan3/common.sh" . "${IPKG_INSTROOT}/lib/functions/network.sh" . "${IPKG_INSTROOT}/lib/mwan3/mwan3.sh" diff --git a/net/mwan3/files/lib/mwan3/common.sh b/net/mwan3/files/lib/mwan3/common.sh index 33a94ae86..5f08fdfa5 100644 --- a/net/mwan3/files/lib/mwan3/common.sh +++ b/net/mwan3/files/lib/mwan3/common.sh @@ -21,6 +21,12 @@ MAX_SLEEP=$(((1<<31)-1)) command -v ip6tables > /dev/null NO_IPV6=$? +IPS="ipset" +IPT4="iptables -t mangle -w" +IPT6="ip6tables -t mangle -w" +IPT4R="iptables-restore -T mangle -w -n" +IPT6R="ip6tables-restore -T mangle -w -n" + LOG() { local facility=$1; shift diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh index a3a5ac89b..59ae1e607 100644 --- a/net/mwan3/files/lib/mwan3/mwan3.sh +++ b/net/mwan3/files/lib/mwan3/mwan3.sh @@ -1,12 +1,8 @@ #!/bin/sh . "${IPKG_INSTROOT}/usr/share/libubox/jshn.sh" +. "${IPKG_INSTROOT}/lib/mwan3/common.sh" -IPS="ipset" -IPT4="iptables -t mangle -w" -IPT6="ip6tables -t mangle -w" -IPT4R="iptables-restore -T mangle -w -n" -IPT6R="ip6tables-restore -T mangle -w -n" CONNTRACK_FILE="/proc/net/nf_conntrack" IPv6_REGEX="([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|" IPv6_REGEX="${IPv6_REGEX}([0-9a-fA-F]{1,4}:){1,7}:|" diff --git a/net/mwan3/files/usr/libexec/rpcd/mwan3 b/net/mwan3/files/usr/libexec/rpcd/mwan3 index 4c71fa18f..8b336a450 100755 --- a/net/mwan3/files/usr/libexec/rpcd/mwan3 +++ b/net/mwan3/files/usr/libexec/rpcd/mwan3 @@ -5,10 +5,6 @@ . /usr/share/libubox/jshn.sh . /lib/mwan3/common.sh -IPS="ipset" -IPT4="iptables -t mangle -w" -IPT6="ip6tables -t mangle -w" - report_connected_v4() { local address diff --git a/net/mwan3/files/usr/sbin/mwan3 b/net/mwan3/files/usr/sbin/mwan3 index 1ba6004bb..ea3d4c6a7 100755 --- a/net/mwan3/files/usr/sbin/mwan3 +++ b/net/mwan3/files/usr/sbin/mwan3 @@ -4,7 +4,6 @@ . /usr/share/libubox/jshn.sh . /lib/functions/network.sh . /lib/mwan3/mwan3.sh -. /lib/mwan3/common.sh command_help() { local cmd="$1" diff --git a/net/mwan3/files/usr/sbin/mwan3rtmon b/net/mwan3/files/usr/sbin/mwan3rtmon index 06be43597..b7f03cc87 100755 --- a/net/mwan3/files/usr/sbin/mwan3rtmon +++ b/net/mwan3/files/usr/sbin/mwan3rtmon @@ -3,7 +3,6 @@ . /lib/functions.sh . /lib/functions/network.sh . /lib/mwan3/mwan3.sh -. /lib/mwan3/common.sh trap_with_arg() { From 54fad2326efb796e17ecfdfb02652ac147b3b215 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Thu, 24 Feb 2022 12:59:31 +0100 Subject: [PATCH 03/14] mwan3: use also ipset restore for connected ipv4 sets Signed-off-by: Florian Eckert --- net/mwan3/files/lib/mwan3/mwan3.sh | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh index 59ae1e607..e6f75334c 100644 --- a/net/mwan3/files/lib/mwan3/mwan3.sh +++ b/net/mwan3/files/lib/mwan3/mwan3.sh @@ -147,10 +147,12 @@ mwan3_set_custom_ipset() mwan3_set_connected_ipv4() { - local connected_network_v4 candidate_list cidr_list - $IPS -! create mwan3_connected_v4 hash:net - $IPS create mwan3_connected_v4_temp hash:net || - LOG notice "failed to create ipset mwan3_connected_v4_temp" + local connected_network_v4 error + local candidate_list cidr_list + local update="" + + mwan3_push_update -! create mwan3_connected_v4 hash:net + mwan3_push_update flush mwan3_connected_v4 candidate_list="" cidr_list="" @@ -168,22 +170,15 @@ mwan3_set_connected_ipv4() done for connected_network_v4 in $cidr_list; do - $IPS -! add mwan3_connected_v4_temp "$connected_network_v4" + mwan3_push_update -! add mwan3_connected_v4 "$connected_network_v4" done for connected_network_v4 in $candidate_list; do - ipset -q test mwan3_connected_v4_temp "$connected_network_v4" || - $IPS -! add mwan3_connected_v4_temp "$connected_network_v4" + mwan3_push_update -! add mwan3_connected_v4 "$connected_network_v4" done - $IPS add mwan3_connected_v4_temp 224.0.0.0/3 || - LOG notice "failed to add 224.0.0.0/3 to mwan3_connected_v4_temp" - - $IPS swap mwan3_connected_v4_temp mwan3_connected_v4 || - LOG notice "failed to swap mwan3_connected_v4_temp and mwan3_connected_v4" - $IPS destroy mwan3_connected_v4_temp || - LOG notice "failed to destroy ipset mwan3_connected_v4_temp" - $IPS -! add mwan3_connected mwan3_connected_v4 - + mwan3_push_update add mwan3_connected_v4 224.0.0.0/3 + mwan3_push_update -! add mwan3_connected mwan3_connected_v4 + error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipv4: $error" } mwan3_set_connected_ipv6() From fedfbd5004b6a67b7c783a28f5bf69873096f33a Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Fri, 25 Feb 2022 12:04:57 +0100 Subject: [PATCH 04/14] mwan3: do not add mwan3_custom_v6 set if ipv6 is not available Signed-off-by: Florian Eckert --- net/mwan3/files/lib/mwan3/mwan3.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh index e6f75334c..1dcb8aef5 100644 --- a/net/mwan3/files/lib/mwan3/mwan3.sh +++ b/net/mwan3/files/lib/mwan3/mwan3.sh @@ -140,7 +140,7 @@ mwan3_set_custom_ipset() mwan3_push_update -! create mwan3_connected list:set mwan3_push_update -! add mwan3_connected mwan3_custom_v4 - mwan3_push_update -! add mwan3_connected mwan3_custom_v6 + [ $NO_IPV6 -eq 0 ] && mwan3_push_update -! add mwan3_connected mwan3_custom_v6 error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_custom_ipset: $error" } From e985f0dcd10745733ce3004296b4dff3331e1afe Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Fri, 25 Feb 2022 15:58:49 +0100 Subject: [PATCH 05/14] mwan3: do not create dynamic ipset for IPv6 if not supported Signed-off-by: Florian Eckert --- net/mwan3/files/lib/mwan3/mwan3.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh index 1dcb8aef5..34932a8a7 100644 --- a/net/mwan3/files/lib/mwan3/mwan3.sh +++ b/net/mwan3/files/lib/mwan3/mwan3.sh @@ -135,8 +135,10 @@ mwan3_set_custom_ipset() mwan3_push_update -! create mwan3_custom_v4 hash:net config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v4 - mwan3_push_update -! create mwan3_custom_v6 hash:net family inet6 - config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v6 + if [ $NO_IPV6 -eq 0 ]; then + mwan3_push_update -! create mwan3_custom_v6 hash:net family inet6 + config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v6 + fi mwan3_push_update -! create mwan3_connected list:set mwan3_push_update -! add mwan3_connected mwan3_custom_v4 From 9c2abb19e2e48befe9993a7ab3861d760b90241a Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Fri, 25 Feb 2022 16:02:49 +0100 Subject: [PATCH 06/14] mwan3: use sticky ipset generation mwan3_push_update pattern Signed-off-by: Florian Eckert --- net/mwan3/files/lib/mwan3/mwan3.sh | 39 +++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 11 deletions(-) diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh index 34932a8a7..7db12f9d0 100644 --- a/net/mwan3/files/lib/mwan3/mwan3.sh +++ b/net/mwan3/files/lib/mwan3/mwan3.sh @@ -707,6 +707,33 @@ mwan3_set_sticky_iptables() done } +mwan3_set_sticky_ipset() +{ + local rule="$1" + local mmx="$2" + local timeout="$3" + + local error + local update="" + + mwan3_push_update -! create "mwan3_sticky_v4_$rule" \ + hash:ip,mark markmask "$mmx" \ + timeout "$timeout" + + [ $NO_IPV6 -eq 0 ] && + mwan3_push_update -! create "mwan3_sticky_v6_$rule" \ + hash:ip,mark markmask "$mmx" \ + timeout "$timeout" family inet6 + + mwan3_push_update -! create "mwan3_sticky_$rule" list:set + + mwan3_push_update -! add "mwan3_sticky_$rule" "mwan3_sticky_v4_$rule" + [ $NO_IPV6 -eq 0 ] && + mwan3_push_update -! add "mwan3_sticky_$rule" "mwan3_sticky_v6_$rule" + + error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_sticky_ipset_${rule}: $error" +} + mwan3_set_user_iptables_rule() { local ipset family proto policy src_ip src_port src_iface src_dev @@ -790,17 +817,7 @@ mwan3_set_user_iptables_rule() rule_policy=1 policy="mwan3_policy_$use_policy" if [ "$sticky" -eq 1 ]; then - $IPS -! create "mwan3_sticky_v4_$rule" \ - hash:ip,mark markmask "$MMX_MASK" \ - timeout "$timeout" - [ $NO_IPV6 -eq 0 ] && - $IPS -! create "mwan3_sticky_v6_$rule" \ - hash:ip,mark markmask "$MMX_MASK" \ - timeout "$timeout" family inet6 - $IPS -! create "mwan3_sticky_$rule" list:set - $IPS -! add "mwan3_sticky_$rule" "mwan3_sticky_v4_$rule" - [ $NO_IPV6 -eq 0 ] && - $IPS -! add "mwan3_sticky_$rule" "mwan3_sticky_v6_$rule" + mwan3_set_sticky_ipset "$rule" "$MMX_MASK" "$timeout" fi fi From b5c675392db02b5ad77ee8d8efc365fac05581ec Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Fri, 25 Feb 2022 16:04:09 +0100 Subject: [PATCH 07/14] mwan3: remove ipset generation from mwan3_set_general_iptables Signed-off-by: Florian Eckert --- net/mwan3/files/lib/mwan3/mwan3.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh index 7db12f9d0..272e8a97e 100644 --- a/net/mwan3/files/lib/mwan3/mwan3.sh +++ b/net/mwan3/files/lib/mwan3/mwan3.sh @@ -250,7 +250,6 @@ mwan3_set_general_iptables() if [ -n "${current##*-N mwan3_connected*}" ]; then mwan3_push_update -N mwan3_connected - $IPS -! create mwan3_connected list:set mwan3_push_update -A mwan3_connected \ -m set --match-set mwan3_connected dst \ -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK From 502779755a43a2ef8b99f8d7ff9e712626bc037d Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Fri, 25 Feb 2022 16:17:39 +0100 Subject: [PATCH 08/14] mwan3: use mwan3_push_update function for mwan3_delete_iface_iptables Signed-off-by: Florian Eckert --- net/mwan3/files/lib/mwan3/mwan3.sh | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh index 272e8a97e..cd9a939c2 100644 --- a/net/mwan3/files/lib/mwan3/mwan3.sh +++ b/net/mwan3/files/lib/mwan3/mwan3.sh @@ -380,7 +380,7 @@ mwan3_create_iface_iptables() mwan3_delete_iface_iptables() { - local IPT + local IPT update config_get family "$1" family ipv4 if [ "$family" = "ipv4" ]; then @@ -392,12 +392,18 @@ mwan3_delete_iface_iptables() IPT="$IPT6" fi - $IPT -D mwan3_ifaces_in \ - -m mark --mark 0x0/$MMX_MASK \ - -j "mwan3_iface_in_$1" &> /dev/null - $IPT -F "mwan3_iface_in_$1" &> /dev/null - $IPT -X "mwan3_iface_in_$1" &> /dev/null + update="*mangle" + + mwan3_push_update -D mwan3_ifaces_in \ + -m mark --mark 0x0/$MMX_MASK \ + -j "mwan3_iface_in_$1" &> /dev/null + mwan3_push_update -F "mwan3_iface_in_$1" &> /dev/null + mwan3_push_update -X "mwan3_iface_in_$1" &> /dev/null + + mwan3_push_update COMMIT + mwan3_push_update "" + error=$(echo "$update" | $IPTR 2>&1) || LOG error "delete_iface_iptables_${1}: $error" } mwan3_extra_tables_routes() From 408458a72f88a1c9a4710cb6d7b56061e6feadb1 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Tue, 1 Mar 2022 08:58:32 +0100 Subject: [PATCH 09/14] mwan3: Split ipsets into separate ipv4 and ipv6 sets Nft does not directly support ipsets, nft sets must be used instead. The mwan3 uses ipsets for certain tasks. They can be combinded. So called an ipset of ipsets. This list type is not available in nft. So that mwan3 could be ported to nft in the feature, the ipset handling should be split. So we have for each ipset an iptables rule. Signed-off-by: Florian Eckert --- net/mwan3/files/etc/init.d/mwan3 | 1 + net/mwan3/files/lib/mwan3/mwan3.sh | 152 +++++++++++++++++------------ 2 files changed, 92 insertions(+), 61 deletions(-) diff --git a/net/mwan3/files/etc/init.d/mwan3 b/net/mwan3/files/etc/init.d/mwan3 index 47980ef65..c1e2aa957 100755 --- a/net/mwan3/files/etc/init.d/mwan3 +++ b/net/mwan3/files/etc/init.d/mwan3 @@ -31,6 +31,7 @@ start_service() { config_foreach start_tracker interface mwan3_update_iface_to_table + mwan3_set_dynamic_ipset mwan3_set_connected_ipset mwan3_set_custom_ipset mwan3_set_general_rules diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh index cd9a939c2..31c47046f 100644 --- a/net/mwan3/files/lib/mwan3/mwan3.sh +++ b/net/mwan3/files/lib/mwan3/mwan3.sh @@ -114,7 +114,7 @@ mwan3_set_custom_ipset_v4() for custom_network_v4 in $($IP4 route list table "$1" | awk '{print $1}' | grep -E "$IPv4_REGEX"); do LOG notice "Adding network $custom_network_v4 from table $1 to mwan3_custom_v4 ipset" - mwan3_push_update -! add mwan3_custom_v4 "$custom_network_v4" + mwan3_push_update -! add mwan3_custom_ipv4 "$custom_network_v4" done } @@ -124,7 +124,7 @@ mwan3_set_custom_ipset_v6() for custom_network_v6 in $($IP6 route list table "$1" | awk '{print $1}' | grep -E "$IPv6_REGEX"); do LOG notice "Adding network $custom_network_v6 from table $1 to mwan3_custom_v6 ipset" - mwan3_push_update -! add mwan3_custom_v6 "$custom_network_v6" + mwan3_push_update -! add mwan3_custom_ipv6 "$custom_network_v6" done } @@ -132,17 +132,16 @@ mwan3_set_custom_ipset() { local update="" - mwan3_push_update -! create mwan3_custom_v4 hash:net + mwan3_push_update -! create mwan3_custom_ipv4 hash:net + mwan3_push_update flush mwan3_custom_ipv4 config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v4 if [ $NO_IPV6 -eq 0 ]; then - mwan3_push_update -! create mwan3_custom_v6 hash:net family inet6 + mwan3_push_update -! create mwan3_custom_ipv6 hash:net family inet6 + mwan3_push_update flush mwan3_custom_ipv6 config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v6 fi - mwan3_push_update -! create mwan3_connected list:set - mwan3_push_update -! add mwan3_connected mwan3_custom_v4 - [ $NO_IPV6 -eq 0 ] && mwan3_push_update -! add mwan3_connected mwan3_custom_v6 error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_custom_ipset: $error" } @@ -153,8 +152,8 @@ mwan3_set_connected_ipv4() local candidate_list cidr_list local update="" - mwan3_push_update -! create mwan3_connected_v4 hash:net - mwan3_push_update flush mwan3_connected_v4 + mwan3_push_update -! create mwan3_connected_ipv4 hash:net + mwan3_push_update flush mwan3_connected_ipv4 candidate_list="" cidr_list="" @@ -172,14 +171,14 @@ mwan3_set_connected_ipv4() done for connected_network_v4 in $cidr_list; do - mwan3_push_update -! add mwan3_connected_v4 "$connected_network_v4" + mwan3_push_update -! add mwan3_connected_ipv4 "$connected_network_v4" done for connected_network_v4 in $candidate_list; do - mwan3_push_update -! add mwan3_connected_v4 "$connected_network_v4" + mwan3_push_update -! add mwan3_connected_ipv4 "$connected_network_v4" done - mwan3_push_update add mwan3_connected_v4 224.0.0.0/3 - mwan3_push_update -! add mwan3_connected mwan3_connected_v4 + mwan3_push_update add mwan3_connected_ipv4 224.0.0.0/3 + error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipv4: $error" } @@ -189,14 +188,13 @@ mwan3_set_connected_ipv6() local update="" [ $NO_IPV6 -eq 0 ] || return - mwan3_push_update -! create mwan3_connected_v6 hash:net family inet6 - mwan3_push_update flush mwan3_connected_v6 + mwan3_push_update -! create mwan3_connected_ipv6 hash:net family inet6 + mwan3_push_update flush mwan3_connected_ipv6 for connected_network_v6 in $($IP6 route | awk '{print $1}' | grep -E "$IPv6_REGEX"); do - mwan3_push_update -! add mwan3_connected_v6 "$connected_network_v6" + mwan3_push_update -! add mwan3_connected_ipv6 "$connected_network_v6" done - mwan3_push_update -! add mwan3_connected mwan3_connected_v6 error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipv6: $error" } @@ -205,20 +203,33 @@ mwan3_set_connected_ipset() local error local update="" - mwan3_push_update -! create mwan3_connected list:set - mwan3_push_update flush mwan3_connected - - mwan3_push_update -! create mwan3_dynamic_v4 hash:net - mwan3_push_update -! add mwan3_connected mwan3_dynamic_v4 + mwan3_push_update -! create mwan3_connected_ipv4 hash:net + mwan3_push_update flush mwan3_connected_ipv4 if [ $NO_IPV6 -eq 0 ]; then - mwan3_push_update -! create mwan3_dynamic_v6 hash:net family inet6 - mwan3_push_update -! add mwan3_connected mwan3_dynamic_v6 + mwan3_push_update -! create mwan3_connected_ipv6 hash:net family inet6 + mwan3_push_update flush mwan3_connected_ipv6 fi error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipset: $error" } +mwan3_set_dynamic_ipset() +{ + local error + local update="" + + mwan3_push_update -! create mwan3_dynamic_ipv4 list:set + mwan3_push_update flush mwan3_dynamic_ipv4 + + if [ $NO_IPV6 -eq 0 ]; then + mwan3_push_update -! create mwan3_dynamic_ipv6 hash:net family inet6 + mwan3_push_update flush mwan3_dynamic_ipv6 + fi + + error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_dynamic_ipset: $error" +} + mwan3_set_general_rules() { local IP @@ -239,7 +250,8 @@ mwan3_set_general_rules() mwan3_set_general_iptables() { - local IPT current update error + local IPT current update error family + for IPT in "$IPT4" "$IPT6"; do [ "$IPT" = "$IPT6" ] && [ $NO_IPV6 -ne 0 ] && continue current="$($IPT -S)"$'\n' @@ -248,13 +260,23 @@ mwan3_set_general_iptables() mwan3_push_update -N mwan3_ifaces_in fi - if [ -n "${current##*-N mwan3_connected*}" ]; then - mwan3_push_update -N mwan3_connected - mwan3_push_update -A mwan3_connected \ - -m set --match-set mwan3_connected dst \ - -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK + if [ "$IPT" = "$IPT6" ]; then + family="ipv6" + else + family="ipv4" fi + for chain in custom connected dynamic; do + echo "${current}" | grep -q "\-N mwan3_${chain}_${family}$" + local ret="$?" + if [ "$ret" = 1 ]; then + mwan3_push_update -N mwan3_${chain}_${family} + mwan3_push_update -A mwan3_${chain}_${family} \ + -m set --match-set mwan3_${chain}_${family} dst \ + -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK + fi + done + if [ -n "${current##*-N mwan3_rules*}" ]; then mwan3_push_update -N mwan3_rules fi @@ -291,17 +313,24 @@ mwan3_set_general_iptables() mwan3_push_update -A mwan3_hook \ -m mark --mark 0x0/$MMX_MASK \ -j mwan3_ifaces_in - mwan3_push_update -A mwan3_hook \ - -m mark --mark 0x0/$MMX_MASK \ - -j mwan3_connected + + for chain in custom connected dynamic; do + mwan3_push_update -A mwan3_hook \ + -m mark --mark 0x0/$MMX_MASK \ + -j mwan3_${chain}_${family} + done + mwan3_push_update -A mwan3_hook \ -m mark --mark 0x0/$MMX_MASK \ -j mwan3_rules mwan3_push_update -A mwan3_hook \ -j CONNMARK --save-mark --nfmask "$MMX_MASK" --ctmask "$MMX_MASK" - mwan3_push_update -A mwan3_hook \ - -m mark ! --mark $MMX_DEFAULT/$MMX_MASK \ - -j mwan3_connected + + for chain in custom connected dynamic; do + mwan3_push_update -A mwan3_hook \ + -m mark ! --mark $MMX_DEFAULT/$MMX_MASK \ + -j mwan3_${chain}_${family} + done fi if [ -n "${current##*-A PREROUTING -j mwan3_hook*}" ]; then @@ -351,12 +380,14 @@ mwan3_create_iface_iptables() mwan3_push_update -F "mwan3_iface_in_$1" fi - mwan3_push_update -A "mwan3_iface_in_$1" \ - -i "$2" \ - -m set --match-set mwan3_connected src \ - -m mark --mark "0x0/$MMX_MASK" \ - -m comment --comment "default" \ - -j MARK --set-xmark "$MMX_DEFAULT/$MMX_MASK" + for chain in custom connected dynamic; do + mwan3_push_update -A "mwan3_iface_in_$1" \ + -i "$2" \ + -m set --match-set mwan3_${chain}_${family} src \ + -m mark --mark "0x0/$MMX_MASK" \ + -m comment --comment "default" \ + -j MARK --set-xmark "$MMX_DEFAULT/$MMX_MASK" + done mwan3_push_update -A "mwan3_iface_in_$1" \ -i "$2" \ -m mark --mark "0x0/$MMX_MASK" \ @@ -692,17 +723,22 @@ mwan3_set_policies_iptables() mwan3_set_sticky_iptables() { + local rule="${1}" + local interface="${2}" + local ipv="${3}" + local policy="${4}" + local id iface for iface in $(echo "$current" | grep "^-A $policy" | cut -s -d'"' -f2 | awk '{print $1}'); do - if [ "$iface" = "$1" ]; then + if [ "$iface" = "$interface" ]; then - mwan3_get_iface_id id "$1" + mwan3_get_iface_id id "$iface" [ -n "$id" ] || return 0 - if [ -z "${current##*-N mwan3_iface_in_$1$'\n'*}" ]; then + if [ -z "${current##*-N mwan3_iface_in_${iface}$'\n'*}" ]; then mwan3_push_update -I "mwan3_rule_$rule" \ -m mark --mark "$(mwan3_id2mask id MMX_MASK)/$MMX_MASK" \ - -m set ! --match-set "mwan3_sticky_$rule" src,src \ + -m set ! --match-set "mwan3_sticky_${ipv}_${rule}" src,src \ -j MARK --set-xmark "0x0/$MMX_MASK" mwan3_push_update -I "mwan3_rule_$rule" \ -m mark --mark "0/$MMX_MASK" \ @@ -721,21 +757,15 @@ mwan3_set_sticky_ipset() local error local update="" - mwan3_push_update -! create "mwan3_sticky_v4_$rule" \ + mwan3_push_update -! create "mwan3_sticky_ipv4_$rule" \ hash:ip,mark markmask "$mmx" \ timeout "$timeout" [ $NO_IPV6 -eq 0 ] && - mwan3_push_update -! create "mwan3_sticky_v6_$rule" \ + mwan3_push_update -! create "mwan3_sticky_ipv6_$rule" \ hash:ip,mark markmask "$mmx" \ timeout "$timeout" family inet6 - mwan3_push_update -! create "mwan3_sticky_$rule" list:set - - mwan3_push_update -! add "mwan3_sticky_$rule" "mwan3_sticky_v4_$rule" - [ $NO_IPV6 -eq 0 ] && - mwan3_push_update -! add "mwan3_sticky_$rule" "mwan3_sticky_v6_$rule" - error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_sticky_ipset_${rule}: $error" } @@ -836,7 +866,7 @@ mwan3_set_user_iptables_rule() fi mwan3_push_update -F "mwan3_rule_$1" - config_foreach mwan3_set_sticky_iptables interface $ipv + config_foreach mwan3_set_sticky_iptables interface $ipv "$policy" mwan3_push_update -A "mwan3_rule_$1" \ @@ -844,10 +874,10 @@ mwan3_set_user_iptables_rule() -j "$policy" mwan3_push_update -A "mwan3_rule_$1" \ -m mark ! --mark 0xfc00/0xfc00 \ - -j SET --del-set "mwan3_sticky_$rule" src,src + -j SET --del-set "mwan3_sticky_${ipv}_${rule}" src,src mwan3_push_update -A "mwan3_rule_$1" \ -m mark ! --mark 0xfc00/0xfc00 \ - -j SET --add-set "mwan3_sticky_$rule" src,src + -j SET --add-set "mwan3_sticky_${ipv}_${rule}" src,src policy="mwan3_rule_$1" fi if [ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ]; then @@ -1132,15 +1162,15 @@ mwan3_report_policies_v6() mwan3_report_connected_v4() { - if [ -n "$($IPT4 -S mwan3_connected 2> /dev/null)" ]; then - $IPS -o save list mwan3_connected_v4 | grep add | cut -d " " -f 3 + if [ -n "$($IPT4 -S mwan3_connected_ipv4 2> /dev/null)" ]; then + $IPS -o save list mwan3_connected_ipv4 | grep add | cut -d " " -f 3 fi } mwan3_report_connected_v6() { - if [ -n "$($IPT6 -S mwan3_connected 2> /dev/null)" ]; then - $IPS -o save list mwan3_connected_v6 | grep add | cut -d " " -f 3 + if [ -n "$($IPT6 -S mwan3_connected_ipv6 2> /dev/null)" ]; then + $IPS -o save list mwan3_connected_ipv6 | grep add | cut -d " " -f 3 fi } From 13c2604eb140b479020d07a209082f093a6e0b1d Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Tue, 8 Mar 2022 11:03:08 +0100 Subject: [PATCH 10/14] mwan3: remove not needed ipset del cmd Signed-off-by: Florian Eckert --- net/mwan3/files/etc/init.d/mwan3 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/net/mwan3/files/etc/init.d/mwan3 b/net/mwan3/files/etc/init.d/mwan3 index c1e2aa957..22d5c2bd3 100755 --- a/net/mwan3/files/etc/init.d/mwan3 +++ b/net/mwan3/files/etc/init.d/mwan3 @@ -95,10 +95,6 @@ stop_service() { $IPS -q destroy $ipset done - for ipset in $($IPS -n list | grep mwan3 | grep -E '_v4|_v6'); do - $IPS -q destroy $ipset - done - rm -rf $MWAN3_STATUS_DIR $MWAN3TRACK_STATUS_DIR } From ed2e0b33ed71243a03e2782a897e68359a5de613 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Tue, 8 Mar 2022 11:04:21 +0100 Subject: [PATCH 11/14] mwan3: add sleep to release ipset reference It turns out that under high system load, ipsets cannot be deleted. This is because there is still a reference in iptables. A short sleep should give the system time to clean this up. Signed-off-by: Florian Eckert --- net/mwan3/files/etc/init.d/mwan3 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/mwan3/files/etc/init.d/mwan3 b/net/mwan3/files/etc/init.d/mwan3 index 22d5c2bd3..33a1f46e5 100755 --- a/net/mwan3/files/etc/init.d/mwan3 +++ b/net/mwan3/files/etc/init.d/mwan3 @@ -91,6 +91,8 @@ stop_service() { } | $IPTR done + # Needed for the firewall backend to release the ipsets reference + sleep 2 for ipset in $($IPS -n list | grep mwan3_); do $IPS -q destroy $ipset done From 5a80a5dbfe839a7c2bdec298a6bb87ed1b93b846 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Tue, 8 Mar 2022 11:51:02 +0100 Subject: [PATCH 12/14] mwan3: unify error messages Signed-off-by: Florian Eckert --- net/mwan3/files/lib/mwan3/mwan3.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh index 31c47046f..740235693 100644 --- a/net/mwan3/files/lib/mwan3/mwan3.sh +++ b/net/mwan3/files/lib/mwan3/mwan3.sh @@ -342,9 +342,9 @@ mwan3_set_general_iptables() mwan3_push_update COMMIT mwan3_push_update "" if [ "$IPT" = "$IPT4" ]; then - error=$(echo "$update" | $IPT4R 2>&1) || LOG error "set_general_iptables: $error" + error=$(echo "$update" | $IPT4R 2>&1) || LOG error "set_general_iptables (${family}): $error" else - error=$(echo "$update" | $IPT6R 2>&1) || LOG error "set_general_iptables: $error" + error=$(echo "$update" | $IPT6R 2>&1) || LOG error "set_general_iptables (${family}): $error" fi done } @@ -405,7 +405,7 @@ mwan3_create_iface_iptables() mwan3_push_update COMMIT mwan3_push_update "" - error=$(echo "$update" | $IPTR 2>&1) || LOG error "create_iface_iptables: $error" + error=$(echo "$update" | $IPTR 2>&1) || LOG error "create_iface_iptables (${1}): $error" } @@ -434,7 +434,7 @@ mwan3_delete_iface_iptables() mwan3_push_update COMMIT mwan3_push_update "" - error=$(echo "$update" | $IPTR 2>&1) || LOG error "delete_iface_iptables_${1}: $error" + error=$(echo "$update" | $IPTR 2>&1) || LOG error "delete_iface_iptables (${1}): $error" } mwan3_extra_tables_routes() @@ -766,7 +766,7 @@ mwan3_set_sticky_ipset() hash:ip,mark markmask "$mmx" \ timeout "$timeout" family inet6 - error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_sticky_ipset_${rule}: $error" + error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_sticky_ipset (${rule}): $error" } mwan3_set_user_iptables_rule() @@ -969,7 +969,7 @@ mwan3_set_user_rules() mwan3_push_update COMMIT mwan3_push_update "" - error=$(echo "$update" | $IPTR 2>&1) || LOG error "set_user_rules: $error" + error=$(echo "$update" | $IPTR 2>&1) || LOG error "set_user_rules (${ipv}): $error" done From 0b5f09162b3416173eb92c0c775d7430d0546bc6 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Tue, 8 Mar 2022 12:52:11 +0100 Subject: [PATCH 13/14] mwan3: dump iptables and ipset command for debugging Signed-off-by: Florian Eckert --- net/mwan3/files/lib/mwan3/common.sh | 2 ++ net/mwan3/files/lib/mwan3/mwan3.sh | 19 +++++++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/net/mwan3/files/lib/mwan3/common.sh b/net/mwan3/files/lib/mwan3/common.sh index 5f08fdfa5..fb951d5a6 100644 --- a/net/mwan3/files/lib/mwan3/common.sh +++ b/net/mwan3/files/lib/mwan3/common.sh @@ -5,6 +5,7 @@ IP6="ip -6" SCRIPTNAME="$(basename "$0")" MWAN3_STATUS_DIR="/var/run/mwan3" +MWAN3_STATUS_IPTABLES_LOG_DIR="${MWAN3_STATUS_DIR}/iptables_log" MWAN3TRACK_STATUS_DIR="/var/run/mwan3track" MWAN3_INTERFACE_MAX="" @@ -118,6 +119,7 @@ mwan3_init() config_load mwan3 [ -d $MWAN3_STATUS_DIR ] || mkdir -p $MWAN3_STATUS_DIR/iface_state + [ -d "$MWAN3_STATUS_IPTABLES_LOG_DIR" ] || mkdir -p "$MWAN3_STATUS_IPTABLES_LOG_DIR" # mwan3's MARKing mask (at least 3 bits should be set) if [ -e "${MWAN3_STATUS_DIR}/mmx_mask" ]; then diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh index 740235693..ec627be68 100644 --- a/net/mwan3/files/lib/mwan3/mwan3.sh +++ b/net/mwan3/files/lib/mwan3/mwan3.sh @@ -142,6 +142,7 @@ mwan3_set_custom_ipset() config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v6 fi + echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/ipset-set_custom_ipset.dump" error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_custom_ipset: $error" } @@ -179,6 +180,7 @@ mwan3_set_connected_ipv4() mwan3_push_update add mwan3_connected_ipv4 224.0.0.0/3 + echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/ipset-set_connected_ipv4.dump" error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipv4: $error" } @@ -195,6 +197,7 @@ mwan3_set_connected_ipv6() mwan3_push_update -! add mwan3_connected_ipv6 "$connected_network_v6" done + echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/ipset-set_connected_ipv6.dump" error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipv6: $error" } @@ -211,6 +214,7 @@ mwan3_set_connected_ipset() mwan3_push_update flush mwan3_connected_ipv6 fi + echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/ipset-set_connected_ipset.dump" error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipset: $error" } @@ -227,6 +231,7 @@ mwan3_set_dynamic_ipset() mwan3_push_update flush mwan3_dynamic_ipv6 fi + echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/ipset-set_dynamic_ipset.dump" error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_dynamic_ipset: $error" } @@ -341,6 +346,8 @@ mwan3_set_general_iptables() fi mwan3_push_update COMMIT mwan3_push_update "" + + echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/iptables-set_general_iptables-${family}.dump" if [ "$IPT" = "$IPT4" ]; then error=$(echo "$update" | $IPT4R 2>&1) || LOG error "set_general_iptables (${family}): $error" else @@ -405,8 +412,9 @@ mwan3_create_iface_iptables() mwan3_push_update COMMIT mwan3_push_update "" - error=$(echo "$update" | $IPTR 2>&1) || LOG error "create_iface_iptables (${1}): $error" + echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/iptables-create_iface_iptables-${1}.dump" + error=$(echo "$update" | $IPTR 2>&1) || LOG error "create_iface_iptables (${1}): $error" } mwan3_delete_iface_iptables() @@ -434,6 +442,7 @@ mwan3_delete_iface_iptables() mwan3_push_update COMMIT mwan3_push_update "" + echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/iptables-delete_iface_iptables-${1}.dump" error=$(echo "$update" | $IPTR 2>&1) || LOG error "delete_iface_iptables (${1}): $error" } @@ -652,8 +661,9 @@ mwan3_set_policy() fi mwan3_push_update COMMIT mwan3_push_update "" - error=$(echo "$update" | $IPTR 2>&1) || LOG error "set_policy ($1): $error" + echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/iptables-set_policy-${1}.dump" + error=$(echo "$update" | $IPTR 2>&1) || LOG error "set_policy ($1): $error" } mwan3_create_policies_iptables() @@ -700,6 +710,8 @@ mwan3_create_policies_iptables() esac mwan3_push_update COMMIT mwan3_push_update "" + + echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/iptables-create_policies_iptables-${1}.dump" if [ "$IPT" = "$IPT4" ]; then error=$(echo "$update" | $IPT4R 2>&1) || LOG error "create_policies_iptables ($1): $error" else @@ -766,6 +778,7 @@ mwan3_set_sticky_ipset() hash:ip,mark markmask "$mmx" \ timeout "$timeout" family inet6 + echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/ipset-set_sticky_ipset-${rule}.dump" error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_sticky_ipset (${rule}): $error" } @@ -969,6 +982,8 @@ mwan3_set_user_rules() mwan3_push_update COMMIT mwan3_push_update "" + + echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/iptables-set_user_rules-${ipv}.dump" error=$(echo "$update" | $IPTR 2>&1) || LOG error "set_user_rules (${ipv}): $error" done From c688ffb025d8bda681e96a42dba3b3135516d4a7 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Mon, 14 Mar 2022 11:34:10 +0100 Subject: [PATCH 14/14] mwan3: update version to 2.11.0 Signed-off-by: Florian Eckert --- net/mwan3/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mwan3/Makefile b/net/mwan3/Makefile index 2d60657ff..70778c61c 100644 --- a/net/mwan3/Makefile +++ b/net/mwan3/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mwan3 -PKG_VERSION:=2.10.13 +PKG_VERSION:=2.11.0 PKG_RELEASE:=1 PKG_MAINTAINER:=Florian Eckert , \ Aaron Goodman