From 725cfe6b8ef591d981507fdeb8ea8f9e9d80956d Mon Sep 17 00:00:00 2001 From: Jeroen Louwes Date: Thu, 17 Dec 2015 11:50:18 +0100 Subject: [PATCH] mwan3: update to version 2.0-1 Fix issue with sticky sessions not working correctly Fix issue where user created ipsets were not applied Signed-off-by: Jeroen Louwes --- net/mwan3/Makefile | 2 +- net/mwan3/files/etc/config/mwan3 | 146 +++++-------------- net/mwan3/files/etc/hotplug.d/iface/15-mwan3 | 29 +++- net/mwan3/files/lib/mwan3/mwan3.sh | 49 ++++--- net/mwan3/files/usr/sbin/mwan3 | 10 +- 5 files changed, 92 insertions(+), 144 deletions(-) diff --git a/net/mwan3/Makefile b/net/mwan3/Makefile index 67e3d16bd..028ffa59b 100644 --- a/net/mwan3/Makefile +++ b/net/mwan3/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mwan3 PKG_VERSION:=2.0 -PKG_RELEASE:=0 +PKG_RELEASE:=1 PKG_MAINTAINER:=Jeroen Louwes PKG_LICENSE:=GPLv2 diff --git a/net/mwan3/files/etc/config/mwan3 b/net/mwan3/files/etc/config/mwan3 index 06118f70c..0ebe38d2d 100644 --- a/net/mwan3/files/etc/config/mwan3 +++ b/net/mwan3/files/etc/config/mwan3 @@ -1,60 +1,21 @@ -config interface 'wan1' +config interface 'wan' option enabled '1' list track_ip '8.8.4.4' - option reliability '1' - option count '1' - option timeout '2' - option interval '5' - option down '3' - option up '8' - -config interface 'wan2' - option enabled '1' list track_ip '8.8.8.8' - option reliability '1' - option count '1' - option timeout '2' - option interval '5' - option down '3' - option up '8' - -config interface 'wan3' - option enabled '1' list track_ip '208.67.222.222' - option reliability '1' + list track_ip '208.67.220.220' + option reliability '2' option count '1' option timeout '2' option interval '5' option down '3' option up '8' -config interface 'wan1_v6' - option family 'ipv6' - option enabled '1' - list track_ip '2001:7b8:1::2' - option reliability '1' - option count '1' - option timeout '2' - option interval '5' - option down '3' - option up '8' - -config interface 'wan2_v6' - option family 'ipv6' - option enabled '1' - list track_ip '2001:7b8:2::2' - option reliability '1' - option count '1' - option timeout '2' - option interval '5' - option down '3' - option up '8' - -config interface 'wan3_v6' - option family 'ipv6' - option enabled '1' - list track_ip '2001:7b8:3::2' +config interface 'wan2' + option enabled '0' + list track_ip '8.8.8.8' + list track_ip '208.67.220.220' option reliability '1' option count '1' option timeout '2' @@ -62,88 +23,51 @@ config interface 'wan3_v6' option down '3' option up '8' -config member 'wan1_m1_w1' - option interface 'wan1' +config member 'wan_m1_w3' + option interface 'wan' option metric '1' - option weight '1' + option weight '3' -config member 'wan2_m1_w1' - option interface 'wan2' - option metric '1' - option weight '1' +config member 'wan_m2_w3' + option interface 'wan' + option metric '2' + option weight '3' -config member 'wan3_m1_w1' - option interface 'wan3' - option metric '1' - option weight '1' - -config member 'wan1_v6_m1_w1' - option interface 'wan1_v6' - option metric '1' - option weight '1' - -config member 'wan2_v6_m1_w1' - option interface 'wan2_v6' +config member 'wan2_m1_w2' + option interface 'wan2' option metric '1' - option weight '1' + option weight '2' -config member 'wan3_v6_m1_w1' - option interface 'wan3_v6' - option metric '1' - option weight '1' +config member 'wan2_m2_w2' + option interface 'wan2' + option metric '2' + option weight '2' -config policy 'wan1_only' - list use_member 'wan1_m1_w1' +config policy 'wan_only' + list use_member 'wan_m1_w3' config policy 'wan2_only' - list use_member 'wan2_m1_w1' + list use_member 'wan2_m1_w2' -config policy 'wan3_only' - list use_member 'wan3_m1_w1' - -config policy 'wan1_v6_only' - list use_member 'wan1_v6_m1_w1' - -config policy 'wan2_v6_only' - list use_member 'wan2_v6_m1_w1' +config policy 'balanced' + list use_member 'wan_m1_w3' + list use_member 'wan2_m1_w2' -config policy 'wan3_v6_only' - list use_member 'wan3_v6_m1_w1' +config policy 'wan_wan2' + list use_member 'wan_m1_w3' + list use_member 'wan2_m2_w2' -config policy 'balanced' - list use_member 'wan1_m1_w1' - list use_member 'wan2_m1_w1' - list use_member 'wan3_m1_w1' - list use_member 'wan1_v6_m1_w1' - list use_member 'wan2_v6_m1_w1' - list use_member 'wan3_v6_m1_w1' +config policy 'wan2_wan' + list use_member 'wan_m2_w3' + list use_member 'wan2_m1_w2' config rule 'https' - option src_ip '2001:3::/64' + option sticky '1' option dest_port '443' option proto 'tcp' option use_policy 'balanced' -config rule 'https2' - option dest_port '19443' - option proto 'tcp' - option use_policy 'balanced' - option sticky '1' - -config rule 'igs' - option proto 'icmp' - option family 'ipv4' - option sticky '1' - option ipset 'google' - option use_policy 'balanced' - -config rule 'i6gs' - option proto 'icmpv6' - option family 'ipv6' - option sticky '1' - option ipset 'google' - option use_policy 'balanced' - config rule 'default_rule' + option dest_ip '0.0.0.0/0' option use_policy 'balanced' diff --git a/net/mwan3/files/etc/hotplug.d/iface/15-mwan3 b/net/mwan3/files/etc/hotplug.d/iface/15-mwan3 index af2fa115c..64aaae7e7 100644 --- a/net/mwan3/files/etc/hotplug.d/iface/15-mwan3 +++ b/net/mwan3/files/etc/hotplug.d/iface/15-mwan3 @@ -1,5 +1,14 @@ #!/bin/sh +. /lib/functions.sh +. /lib/functions/network.sh +. /lib/mwan3/mwan3.sh + +config_load mwan3 + +config_get enabled $INTERFACE enabled 0 +[ "$enabled" == "1" ] || exit 0 + [ "$ACTION" == "ifup" -o "$ACTION" == "ifdown" ] || exit 1 [ -n "$INTERFACE" ] || exit 2 @@ -13,14 +22,17 @@ fi [ -x /usr/sbin/ip6tables ] || exit 7 [ -x /usr/bin/logger ] || exit 8 -. /lib/functions.sh -. /lib/functions/network.sh -. /lib/mwan3/mwan3.sh +local family gateway -config_load mwan3 +config_get family $INTERFACE family ipv4 -config_get enabled $INTERFACE enabled 0 -[ "$enabled" == "1" ] || exit 0 +if [ "$family" == "ipv4" ]; then + network_get_gateway gateway $INTERFACE +elif [ "$family" == "ipv6" ]; then + network_get_gateway6 gateway $INTERFACE +fi + +[ -n "$gateway" ] || exit 9 $LOG notice "$ACTION interface $INTERFACE (${DEVICE:-unknown})" @@ -34,6 +46,7 @@ case "$ACTION" in mwan3_create_iface_iptables $INTERFACE $DEVICE mwan3_create_iface_route $INTERFACE $DEVICE mwan3_track $INTERFACE $DEVICE + mwan3_set_policies_iptables mwan3_set_user_rules ;; ifdown) @@ -41,9 +54,9 @@ case "$ACTION" in mwan3_delete_iface_iptables $INTERFACE mwan3_delete_iface_route $INTERFACE mwan3_delete_iface_ipset_entries $INTERFACE + mwan3_set_policies_iptables + mwan3_set_user_rules ;; esac -config_foreach mwan3_create_policies_iptables policy - exit 0 diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh index 6fe2479db..dab1fbd4d 100644 --- a/net/mwan3/files/lib/mwan3/mwan3.sh +++ b/net/mwan3/files/lib/mwan3/mwan3.sh @@ -512,24 +512,35 @@ mwan3_create_policies_iptables() config_list_foreach $1 use_member mwan3_set_policy } +mwan3_set_policies_iptables() +{ + config_foreach mwan3_create_policies_iptables policy +} + mwan3_set_sticky_iptables() { - local id + local id iface - mwan3_get_iface_id id $1 + for iface in $($IPT4 -S $policy | cut -s -d'"' -f2 | awk '{print $1}'); do - [ -n "$id" ] || return 0 + if [ "$iface" == "$1" ]; then - $IPS -! create mwan3_sticky_v4_$rule hash:ip,mark markmask 0xff00 timeout $timeout - $IPS -! create mwan3_sticky_v6_$rule hash:ip,mark markmask 0xff00 timeout $timeout family inet6 - $IPS -! create mwan3_sticky_$rule list:set - $IPS -! add mwan3_sticky_$rule mwan3_sticky_v4_$rule - $IPS -! add mwan3_sticky_$rule mwan3_sticky_v6_$rule + mwan3_get_iface_id id $1 - for IPT in "$IPT4" "$IPT6"; do - if [ -n "$($IPT -S mwan3_iface_$1 2> /dev/null)" ]; then - $IPT -I mwan3_rule_$rule -m set ! --match-set mwan3_sticky_$rule src,src -j MARK --set-xmark 0x0/0xff00 - $IPT -I mwan3_rule_$rule -m mark --mark 0/0xff00 -j MARK --set-xmark $(($id*256))/0xff00 + [ -n "$id" ] || return 0 + + $IPS -! create mwan3_sticky_v4_$rule hash:ip,mark markmask 0xff00 timeout $timeout + $IPS -! create mwan3_sticky_v6_$rule hash:ip,mark markmask 0xff00 timeout $timeout family inet6 + $IPS -! create mwan3_sticky_$rule list:set + $IPS -! add mwan3_sticky_$rule mwan3_sticky_v4_$rule + $IPS -! add mwan3_sticky_$rule mwan3_sticky_v6_$rule + + for IPT in "$IPT4" "$IPT6"; do + if [ -n "$($IPT -S mwan3_iface_in_$1 2> /dev/null)" -a -n "$($IPT -S mwan3_iface_out_$1 2> /dev/null)" ]; then + $IPT -I mwan3_rule_$rule -m mark --mark $(($id*256))/0xff00 -m set ! --match-set mwan3_sticky_$rule src,src -j MARK --set-xmark 0x0/0xff00 + $IPT -I mwan3_rule_$rule -m mark --mark 0/0xff00 -j MARK --set-xmark $(($id*256))/0xff00 + fi + done fi done } @@ -556,14 +567,6 @@ mwan3_set_user_iptables_rule() fi if [ -n "$ipset" ]; then - if [ -z "$($IPS -n list $ipset 2> /dev/null)" ]; then - $IPS create $ipset list:set - $IPS create v4_$ipset hash:ip timeout 3600 - $IPS create v6_$ipset hash:ip timeout 3600 family inet6 - $IPS add $ipset v4_$ipset - $IPS add $ipset v6_$ipset - fi - ipset="-m set --match-set $ipset dst" fi @@ -579,8 +582,6 @@ mwan3_set_user_iptables_rule() policy="mwan3_policy_$use_policy" - config_foreach mwan3_set_sticky_iptables interface - for IPT in "$IPT4" "$IPT6"; do if ! $IPT -S $policy &> /dev/null; then $IPT -N $policy @@ -591,7 +592,11 @@ mwan3_set_user_iptables_rule() fi $IPT -F mwan3_rule_$1 + done + config_foreach mwan3_set_sticky_iptables interface + + for IPT in "$IPT4" "$IPT6"; do $IPT -A mwan3_rule_$1 -m mark --mark 0/0xff00 -j $policy $IPT -A mwan3_rule_$1 -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_$rule src,src $IPT -A mwan3_rule_$1 -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_$rule src,src diff --git a/net/mwan3/files/usr/sbin/mwan3 b/net/mwan3/files/usr/sbin/mwan3 index 26803aac1..824e17af8 100755 --- a/net/mwan3/files/usr/sbin/mwan3 +++ b/net/mwan3/files/usr/sbin/mwan3 @@ -84,8 +84,10 @@ policies() { echo "Current ipv4 policies:" mwan3_report_policies_v4 + echo -e echo "Current ipv6 policies:" mwan3_report_policies_v6 + echo -e } connected() @@ -154,8 +156,12 @@ stop() done done - for ipset in $($IPS -n list | sort | grep mwan3); do - $IPS destroy $ipset + for ipset in $($IPS -n list | grep mwan3_); do + $IPS -q destroy $ipset + done + + for ipset in $($IPS -n list | grep mwan3 | grep -E '_v4|_v6'); do + $IPS -q destroy $ipset done }