mwan3: Split ipsets into separate ipv4 and ipv6 sets

Nft does not directly support ipsets, nft sets must be used instead. The mwan3 uses ipsets for certain tasks. They can be combinded. So called an ipset of ipsets. This list type is not available in nft. So that mwan3 could be ported to nft in the feature, the ipset handling should be split. So we have for each ipset an iptables rule. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2022-03-01 08:58:32 +01:00 · 2022-03-01 08:58:32 +01:00 · 408458a72f
commit 408458a72f
parent 502779755a
2 changed files with 92 additions and 61 deletions
--- a/net/mwan3/files/etc/init.d/mwan3
+++ b/net/mwan3/files/etc/init.d/mwan3
@ -31,6 +31,7 @@ start_service() {
 	config_foreach start_tracker interface

 	mwan3_update_iface_to_table
+	mwan3_set_dynamic_ipset
 	mwan3_set_connected_ipset
 	mwan3_set_custom_ipset
 	mwan3_set_general_rules
--- a/net/mwan3/files/lib/mwan3/mwan3.sh
+++ b/net/mwan3/files/lib/mwan3/mwan3.sh
@ -114,7 +114,7 @@ mwan3_set_custom_ipset_v4()

 	for custom_network_v4 in $($IP4 route list table "$1" | awk '{print $1}' | grep -E "$IPv4_REGEX"); do
 		LOG notice "Adding network $custom_network_v4 from table $1 to mwan3_custom_v4 ipset"
-		mwan3_push_update -! add mwan3_custom_v4 "$custom_network_v4"
+		mwan3_push_update -! add mwan3_custom_ipv4 "$custom_network_v4"
 	done
 }

@ -124,7 +124,7 @@ mwan3_set_custom_ipset_v6()

 	for custom_network_v6 in $($IP6 route list table "$1" | awk '{print $1}' | grep -E "$IPv6_REGEX"); do
 		LOG notice "Adding network $custom_network_v6 from table $1 to mwan3_custom_v6 ipset"
-		mwan3_push_update -! add mwan3_custom_v6 "$custom_network_v6"
+		mwan3_push_update -! add mwan3_custom_ipv6 "$custom_network_v6"
 	done
 }

@ -132,17 +132,16 @@ mwan3_set_custom_ipset()
 {
 	local update=""

-	mwan3_push_update -! create mwan3_custom_v4 hash:net
+	mwan3_push_update -! create mwan3_custom_ipv4 hash:net
+	mwan3_push_update flush mwan3_custom_ipv4
 	config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v4

 	if [ $NO_IPV6 -eq 0 ]; then
-		mwan3_push_update -! create mwan3_custom_v6 hash:net family inet6
+		mwan3_push_update -! create mwan3_custom_ipv6 hash:net family inet6
+		mwan3_push_update flush mwan3_custom_ipv6
 		config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v6
 	fi

-	mwan3_push_update -! create mwan3_connected list:set
-	mwan3_push_update -! add mwan3_connected mwan3_custom_v4
-	[ $NO_IPV6 -eq 0 ] && mwan3_push_update -! add mwan3_connected mwan3_custom_v6
 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_custom_ipset: $error"
 }

@ -153,8 +152,8 @@ mwan3_set_connected_ipv4()
 	local candidate_list cidr_list
 	local update=""

-	mwan3_push_update -! create mwan3_connected_v4 hash:net
-	mwan3_push_update flush mwan3_connected_v4
+	mwan3_push_update -! create mwan3_connected_ipv4 hash:net
+	mwan3_push_update flush mwan3_connected_ipv4

 	candidate_list=""
 	cidr_list=""
@ -172,14 +171,14 @@ mwan3_set_connected_ipv4()
 	done

 	for connected_network_v4 in $cidr_list; do
-		mwan3_push_update -! add mwan3_connected_v4 "$connected_network_v4"
+		mwan3_push_update -! add mwan3_connected_ipv4 "$connected_network_v4"
 	done
 	for connected_network_v4 in $candidate_list; do
-		mwan3_push_update -! add mwan3_connected_v4 "$connected_network_v4"
+		mwan3_push_update -! add mwan3_connected_ipv4 "$connected_network_v4"
 	done

-	mwan3_push_update add mwan3_connected_v4 224.0.0.0/3
-	mwan3_push_update -! add mwan3_connected mwan3_connected_v4
+	mwan3_push_update add mwan3_connected_ipv4 224.0.0.0/3
+
 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipv4: $error"
 }

@ -189,14 +188,13 @@ mwan3_set_connected_ipv6()
 	local update=""
 	[ $NO_IPV6 -eq 0 ] || return

-	mwan3_push_update -! create mwan3_connected_v6 hash:net family inet6
-	mwan3_push_update flush mwan3_connected_v6
+	mwan3_push_update -! create mwan3_connected_ipv6 hash:net family inet6
+	mwan3_push_update flush mwan3_connected_ipv6

 	for connected_network_v6 in $($IP6 route | awk '{print $1}' | grep -E "$IPv6_REGEX"); do
-		mwan3_push_update -! add mwan3_connected_v6 "$connected_network_v6"
+		mwan3_push_update -! add mwan3_connected_ipv6 "$connected_network_v6"
 	done

-	mwan3_push_update -! add mwan3_connected mwan3_connected_v6
 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipv6: $error"
 }

@ -205,20 +203,33 @@ mwan3_set_connected_ipset()
 	local error
 	local update=""

-	mwan3_push_update -! create mwan3_connected list:set
-	mwan3_push_update flush mwan3_connected
-
-	mwan3_push_update -! create mwan3_dynamic_v4 hash:net
-	mwan3_push_update -! add mwan3_connected mwan3_dynamic_v4
+	mwan3_push_update -! create mwan3_connected_ipv4 hash:net
+	mwan3_push_update flush mwan3_connected_ipv4

 	if [ $NO_IPV6 -eq 0 ]; then
-		mwan3_push_update -! create mwan3_dynamic_v6 hash:net family inet6
-		mwan3_push_update -! add mwan3_connected mwan3_dynamic_v6
+		mwan3_push_update -! create mwan3_connected_ipv6 hash:net family inet6
+		mwan3_push_update flush mwan3_connected_ipv6
 	fi

 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipset: $error"
 }

+mwan3_set_dynamic_ipset()
+{
+	local error
+	local update=""
+
+	mwan3_push_update -! create mwan3_dynamic_ipv4 list:set
+	mwan3_push_update flush mwan3_dynamic_ipv4
+
+	if [ $NO_IPV6 -eq 0 ]; then
+		mwan3_push_update -! create mwan3_dynamic_ipv6 hash:net family inet6
+		mwan3_push_update flush mwan3_dynamic_ipv6
+	fi
+
+	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_dynamic_ipset: $error"
+}
+
 mwan3_set_general_rules()
 {
 	local IP
@ -239,7 +250,8 @@ mwan3_set_general_rules()

 mwan3_set_general_iptables()
 {
-	local IPT current update error
+	local IPT current update error family
+
 	for IPT in "$IPT4" "$IPT6"; do
 		[ "$IPT" = "$IPT6" ] && [ $NO_IPV6 -ne 0 ] && continue
 		current="$($IPT -S)"$'\n'
@ -248,13 +260,23 @@ mwan3_set_general_iptables()
 			mwan3_push_update -N mwan3_ifaces_in
 		fi

-		if [ -n "${current##*-N mwan3_connected*}" ]; then
-			mwan3_push_update -N mwan3_connected
-			mwan3_push_update -A mwan3_connected \
-					  -m set --match-set mwan3_connected dst \
-					  -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
+		if [ "$IPT" = "$IPT6" ]; then
+			family="ipv6"
+		else
+			family="ipv4"
 		fi

+		for chain in custom connected dynamic; do
+			echo "${current}" | grep -q "\-N mwan3_${chain}_${family}$"
+			local ret="$?"
+			if [ "$ret" = 1 ]; then
+				mwan3_push_update -N mwan3_${chain}_${family}
+				mwan3_push_update -A mwan3_${chain}_${family} \
+					-m set --match-set mwan3_${chain}_${family} dst \
+					-j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
+			fi
+		done
+
 		if [ -n "${current##*-N mwan3_rules*}" ]; then
 			mwan3_push_update -N mwan3_rules
 		fi
@ -291,17 +313,24 @@ mwan3_set_general_iptables()
 			mwan3_push_update -A mwan3_hook \
 					  -m mark --mark 0x0/$MMX_MASK \
 					  -j mwan3_ifaces_in
-			mwan3_push_update -A mwan3_hook \
-					  -m mark --mark 0x0/$MMX_MASK \
-					  -j mwan3_connected
+
+			for chain in custom connected dynamic; do
+				mwan3_push_update -A mwan3_hook \
+					-m mark --mark 0x0/$MMX_MASK \
+					-j mwan3_${chain}_${family}
+			done
+
 			mwan3_push_update -A mwan3_hook \
 					  -m mark --mark 0x0/$MMX_MASK \
 					  -j mwan3_rules
 			mwan3_push_update -A mwan3_hook \
 					  -j CONNMARK --save-mark --nfmask "$MMX_MASK" --ctmask "$MMX_MASK"
-			mwan3_push_update -A mwan3_hook \
-					  -m mark ! --mark $MMX_DEFAULT/$MMX_MASK \
-					  -j mwan3_connected
+
+			for chain in custom connected dynamic; do
+				mwan3_push_update -A mwan3_hook \
+					-m mark ! --mark $MMX_DEFAULT/$MMX_MASK \
+					-j mwan3_${chain}_${family}
+			done
 		fi

 		if [ -n "${current##*-A PREROUTING -j mwan3_hook*}" ]; then
@ -351,12 +380,14 @@ mwan3_create_iface_iptables()
 		mwan3_push_update -F "mwan3_iface_in_$1"
 	fi

-	mwan3_push_update -A "mwan3_iface_in_$1" \
-			  -i "$2" \
-			  -m set --match-set mwan3_connected src \
-			  -m mark --mark "0x0/$MMX_MASK" \
-			  -m comment --comment "default" \
-			  -j MARK --set-xmark "$MMX_DEFAULT/$MMX_MASK"
+	for chain in custom connected dynamic; do
+		mwan3_push_update -A "mwan3_iface_in_$1" \
+			-i "$2" \
+			-m set --match-set mwan3_${chain}_${family} src \
+			-m mark --mark "0x0/$MMX_MASK" \
+			-m comment --comment "default" \
+			-j MARK --set-xmark "$MMX_DEFAULT/$MMX_MASK"
+	done
 	mwan3_push_update -A "mwan3_iface_in_$1" \
 			  -i "$2" \
 			  -m mark --mark "0x0/$MMX_MASK" \
@ -692,17 +723,22 @@ mwan3_set_policies_iptables()

 mwan3_set_sticky_iptables()
 {
+	local rule="${1}"
+	local interface="${2}"
+	local ipv="${3}"
+	local policy="${4}"
+
 	local id iface
 	for iface in $(echo "$current" | grep "^-A $policy" | cut -s -d'"' -f2 | awk '{print $1}'); do
-		if [ "$iface" = "$1" ]; then
+		if [ "$iface" = "$interface" ]; then

-			mwan3_get_iface_id id "$1"
+			mwan3_get_iface_id id "$iface"

 			[ -n "$id" ] || return 0
-			if [ -z "${current##*-N mwan3_iface_in_$1$'\n'*}" ]; then
+			if [ -z "${current##*-N mwan3_iface_in_${iface}$'\n'*}" ]; then
 				mwan3_push_update -I "mwan3_rule_$rule" \
 						  -m mark --mark "$(mwan3_id2mask id MMX_MASK)/$MMX_MASK" \
-						  -m set ! --match-set "mwan3_sticky_$rule" src,src \
+						  -m set ! --match-set "mwan3_sticky_${ipv}_${rule}" src,src \
 						  -j MARK --set-xmark "0x0/$MMX_MASK"
 				mwan3_push_update -I "mwan3_rule_$rule" \
 						  -m mark --mark "0/$MMX_MASK" \
@ -721,21 +757,15 @@ mwan3_set_sticky_ipset()
 	local error
 	local update=""

-	mwan3_push_update -! create "mwan3_sticky_v4_$rule" \
+	mwan3_push_update -! create "mwan3_sticky_ipv4_$rule" \
 		hash:ip,mark markmask "$mmx" \
 		timeout "$timeout"

 	[ $NO_IPV6 -eq 0 ] &&
-		mwan3_push_update -! create "mwan3_sticky_v6_$rule" \
+		mwan3_push_update -! create "mwan3_sticky_ipv6_$rule" \
 			hash:ip,mark markmask "$mmx" \
 			timeout "$timeout" family inet6

-	mwan3_push_update -! create "mwan3_sticky_$rule" list:set
-
-	mwan3_push_update -! add "mwan3_sticky_$rule" "mwan3_sticky_v4_$rule"
-	[ $NO_IPV6 -eq 0 ] &&
-		mwan3_push_update -! add "mwan3_sticky_$rule" "mwan3_sticky_v6_$rule"
-
 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_sticky_ipset_${rule}: $error"
 }

@ -836,7 +866,7 @@ mwan3_set_user_iptables_rule()
 		fi

 		mwan3_push_update -F "mwan3_rule_$1"
-		config_foreach mwan3_set_sticky_iptables interface $ipv
+		config_foreach mwan3_set_sticky_iptables interface $ipv "$policy"


 		mwan3_push_update -A "mwan3_rule_$1" \
@ -844,10 +874,10 @@ mwan3_set_user_iptables_rule()
 				  -j "$policy"
 		mwan3_push_update -A "mwan3_rule_$1" \
 				  -m mark ! --mark 0xfc00/0xfc00 \
-				  -j SET --del-set "mwan3_sticky_$rule" src,src
+				  -j SET --del-set "mwan3_sticky_${ipv}_${rule}" src,src
 		mwan3_push_update -A "mwan3_rule_$1" \
 				  -m mark ! --mark 0xfc00/0xfc00 \
-				  -j SET --add-set "mwan3_sticky_$rule" src,src
+				  -j SET --add-set "mwan3_sticky_${ipv}_${rule}" src,src
 		policy="mwan3_rule_$1"
 	fi
 	if [ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ]; then
@ -1132,15 +1162,15 @@ mwan3_report_policies_v6()

 mwan3_report_connected_v4()
 {
-	if [ -n "$($IPT4 -S mwan3_connected 2> /dev/null)" ]; then
-		$IPS -o save list mwan3_connected_v4 | grep add | cut -d " " -f 3
+	if [ -n "$($IPT4 -S mwan3_connected_ipv4 2> /dev/null)" ]; then
+		$IPS -o save list mwan3_connected_ipv4 | grep add | cut -d " " -f 3
 	fi
 }

 mwan3_report_connected_v6()
 {
-	if [ -n "$($IPT6 -S mwan3_connected 2> /dev/null)" ]; then
-		$IPS -o save list mwan3_connected_v6 | grep add | cut -d " " -f 3
+	if [ -n "$($IPT6 -S mwan3_connected_ipv6 2> /dev/null)" ]; then
+		$IPS -o save list mwan3_connected_ipv6 | grep add | cut -d " " -f 3
 	fi
 }