Merge pull request #17940 from TDT-AG/pr/20220225-mwan3

mwan3: update to version 2.11.0
2022-03-17 14:01:43 +01:00 · 2022-03-17 14:01:43 +01:00 · 9aba2936e2
commit 9aba2936e2
parent 74daf78dd6 c688ffb025
8 changed files with 164 additions and 104 deletions
--- a/net/mwan3/Makefile
+++ b/net/mwan3/Makefile
@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=mwan3
-PKG_VERSION:=2.10.13
+PKG_VERSION:=2.11.0
 PKG_RELEASE:=1
 PKG_MAINTAINER:=Florian Eckert <fe@dev.tdt.de>, \
 		Aaron Goodman <aaronjg@alumni.stanford.edu>
@ -25,6 +25,7 @@ define Package/mwan3
     +ip \
     +ipset \
     +iptables \
+     +IPV6:ip6tables \
     +iptables-mod-conntrack-extra \
     +iptables-mod-ipopt \
     +jshn
--- a/net/mwan3/files/etc/hotplug.d/iface/15-mwan3
+++ b/net/mwan3/files/etc/hotplug.d/iface/15-mwan3
@ -3,7 +3,6 @@
 . /lib/functions.sh
 . /lib/functions/network.sh
 . /lib/mwan3/mwan3.sh
-. /lib/mwan3/common.sh

 initscript=/etc/init.d/mwan3
 . /lib/functions/procd.sh
--- a/net/mwan3/files/etc/init.d/mwan3
+++ b/net/mwan3/files/etc/init.d/mwan3
@ -1,6 +1,5 @@
 #!/bin/sh /etc/rc.common

-. "${IPKG_INSTROOT}/lib/mwan3/common.sh"
 . "${IPKG_INSTROOT}/lib/functions/network.sh"
 . "${IPKG_INSTROOT}/lib/mwan3/mwan3.sh"

@ -32,6 +31,7 @@ start_service() {
 	config_foreach start_tracker interface

 	mwan3_update_iface_to_table
+	mwan3_set_dynamic_ipset
 	mwan3_set_connected_ipset
 	mwan3_set_custom_ipset
 	mwan3_set_general_rules
@ -91,14 +91,12 @@ stop_service() {
 		} | $IPTR
 	done

+	# Needed for the firewall backend to release the ipsets reference
+	sleep 2
 	for ipset in $($IPS -n list | grep mwan3_); do
 		$IPS -q destroy $ipset
 	done

-	for ipset in $($IPS -n list | grep mwan3 | grep -E '_v4|_v6'); do
-		$IPS -q destroy $ipset
-	done
-
 	rm -rf $MWAN3_STATUS_DIR $MWAN3TRACK_STATUS_DIR

 }
--- a/net/mwan3/files/lib/mwan3/common.sh
+++ b/net/mwan3/files/lib/mwan3/common.sh
@ -5,6 +5,7 @@ IP6="ip -6"
 SCRIPTNAME="$(basename "$0")"

 MWAN3_STATUS_DIR="/var/run/mwan3"
+MWAN3_STATUS_IPTABLES_LOG_DIR="${MWAN3_STATUS_DIR}/iptables_log"
 MWAN3TRACK_STATUS_DIR="/var/run/mwan3track"

 MWAN3_INTERFACE_MAX=""
@ -21,6 +22,12 @@ MAX_SLEEP=$(((1<<31)-1))
 command -v ip6tables > /dev/null
 NO_IPV6=$?

+IPS="ipset"
+IPT4="iptables -t mangle -w"
+IPT6="ip6tables -t mangle -w"
+IPT4R="iptables-restore -T mangle -w -n"
+IPT6R="ip6tables-restore -T mangle -w -n"
+
 LOG()
 {
 	local facility=$1; shift
@ -112,6 +119,7 @@ mwan3_init()
 	config_load mwan3

 	[ -d $MWAN3_STATUS_DIR ] || mkdir -p $MWAN3_STATUS_DIR/iface_state
+	[ -d "$MWAN3_STATUS_IPTABLES_LOG_DIR" ] || mkdir -p "$MWAN3_STATUS_IPTABLES_LOG_DIR"

 	# mwan3's MARKing mask (at least 3 bits should be set)
 	if [ -e "${MWAN3_STATUS_DIR}/mmx_mask" ]; then
--- a/net/mwan3/files/lib/mwan3/mwan3.sh
+++ b/net/mwan3/files/lib/mwan3/mwan3.sh
@ -1,12 +1,8 @@
 #!/bin/sh

 . "${IPKG_INSTROOT}/usr/share/libubox/jshn.sh"
+. "${IPKG_INSTROOT}/lib/mwan3/common.sh"

-IPS="ipset"
-IPT4="iptables -t mangle -w"
-IPT6="ip6tables -t mangle -w"
-IPT4R="iptables-restore -T mangle -w -n"
-IPT6R="ip6tables-restore -T mangle -w -n"
 CONNTRACK_FILE="/proc/net/nf_conntrack"
 IPv6_REGEX="([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|"
 IPv6_REGEX="${IPv6_REGEX}([0-9a-fA-F]{1,4}:){1,7}:|"
@ -118,7 +114,7 @@ mwan3_set_custom_ipset_v4()

 	for custom_network_v4 in $($IP4 route list table "$1" | awk '{print $1}' | grep -E "$IPv4_REGEX"); do
 		LOG notice "Adding network $custom_network_v4 from table $1 to mwan3_custom_v4 ipset"
-		mwan3_push_update -! add mwan3_custom_v4 "$custom_network_v4"
+		mwan3_push_update -! add mwan3_custom_ipv4 "$custom_network_v4"
 	done
 }

@ -128,7 +124,7 @@ mwan3_set_custom_ipset_v6()

 	for custom_network_v6 in $($IP6 route list table "$1" | awk '{print $1}' | grep -E "$IPv6_REGEX"); do
 		LOG notice "Adding network $custom_network_v6 from table $1 to mwan3_custom_v6 ipset"
-		mwan3_push_update -! add mwan3_custom_v6 "$custom_network_v6"
+		mwan3_push_update -! add mwan3_custom_ipv6 "$custom_network_v6"
 	done
 }

@ -136,25 +132,29 @@ mwan3_set_custom_ipset()
 {
 	local update=""

-	mwan3_push_update -! create mwan3_custom_v4 hash:net
+	mwan3_push_update -! create mwan3_custom_ipv4 hash:net
+	mwan3_push_update flush mwan3_custom_ipv4
 	config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v4

-	mwan3_push_update -! create mwan3_custom_v6 hash:net family inet6
-	config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v6
+	if [ $NO_IPV6 -eq 0 ]; then
+		mwan3_push_update -! create mwan3_custom_ipv6 hash:net family inet6
+		mwan3_push_update flush mwan3_custom_ipv6
+		config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v6
+	fi

-	mwan3_push_update -! create mwan3_connected list:set
-	mwan3_push_update -! add mwan3_connected mwan3_custom_v4
-	mwan3_push_update -! add mwan3_connected mwan3_custom_v6
+	echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/ipset-set_custom_ipset.dump"
 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_custom_ipset: $error"
 }


 mwan3_set_connected_ipv4()
 {
-	local connected_network_v4 candidate_list cidr_list
-	$IPS -! create mwan3_connected_v4 hash:net
-	$IPS create mwan3_connected_v4_temp hash:net ||
-		LOG notice "failed to create ipset mwan3_connected_v4_temp"
+	local connected_network_v4 error
+	local candidate_list cidr_list
+	local update=""
+
+	mwan3_push_update -! create mwan3_connected_ipv4 hash:net
+	mwan3_push_update flush mwan3_connected_ipv4

 	candidate_list=""
 	cidr_list=""
@ -172,22 +172,16 @@ mwan3_set_connected_ipv4()
 	done

 	for connected_network_v4 in $cidr_list; do
-		$IPS -! add mwan3_connected_v4_temp "$connected_network_v4"
+		mwan3_push_update -! add mwan3_connected_ipv4 "$connected_network_v4"
 	done
 	for connected_network_v4 in $candidate_list; do
-		ipset -q test mwan3_connected_v4_temp "$connected_network_v4" ||
-			$IPS -! add mwan3_connected_v4_temp "$connected_network_v4"
+		mwan3_push_update -! add mwan3_connected_ipv4 "$connected_network_v4"
 	done

-	$IPS add mwan3_connected_v4_temp 224.0.0.0/3 ||
-		LOG notice "failed to add 224.0.0.0/3 to mwan3_connected_v4_temp"
-
-	$IPS swap mwan3_connected_v4_temp mwan3_connected_v4 ||
-		LOG notice "failed to swap mwan3_connected_v4_temp and mwan3_connected_v4"
-	$IPS destroy mwan3_connected_v4_temp ||
-		LOG notice "failed to destroy ipset mwan3_connected_v4_temp"
-	$IPS -! add mwan3_connected mwan3_connected_v4
+	mwan3_push_update add mwan3_connected_ipv4 224.0.0.0/3

+	echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/ipset-set_connected_ipv4.dump"
+	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipv4: $error"
 }

 mwan3_set_connected_ipv6()
@ -196,14 +190,14 @@ mwan3_set_connected_ipv6()
 	local update=""
 	[ $NO_IPV6 -eq 0 ] || return

-	mwan3_push_update -! create mwan3_connected_v6 hash:net family inet6
-	mwan3_push_update flush mwan3_connected_v6
+	mwan3_push_update -! create mwan3_connected_ipv6 hash:net family inet6
+	mwan3_push_update flush mwan3_connected_ipv6

 	for connected_network_v6 in $($IP6 route | awk '{print $1}' | grep -E "$IPv6_REGEX"); do
-		mwan3_push_update -! add mwan3_connected_v6 "$connected_network_v6"
+		mwan3_push_update -! add mwan3_connected_ipv6 "$connected_network_v6"
 	done

-	mwan3_push_update -! add mwan3_connected mwan3_connected_v6
+	echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/ipset-set_connected_ipv6.dump"
 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipv6: $error"
 }

@ -212,20 +206,35 @@ mwan3_set_connected_ipset()
 	local error
 	local update=""

-	mwan3_push_update -! create mwan3_connected list:set
-	mwan3_push_update flush mwan3_connected
-
-	mwan3_push_update -! create mwan3_dynamic_v4 hash:net
-	mwan3_push_update -! add mwan3_connected mwan3_dynamic_v4
+	mwan3_push_update -! create mwan3_connected_ipv4 hash:net
+	mwan3_push_update flush mwan3_connected_ipv4

 	if [ $NO_IPV6 -eq 0 ]; then
-		mwan3_push_update -! create mwan3_dynamic_v6 hash:net family inet6
-		mwan3_push_update -! add mwan3_connected mwan3_dynamic_v6
+		mwan3_push_update -! create mwan3_connected_ipv6 hash:net family inet6
+		mwan3_push_update flush mwan3_connected_ipv6
 	fi

+	echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/ipset-set_connected_ipset.dump"
 	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_connected_ipset: $error"
 }

+mwan3_set_dynamic_ipset()
+{
+	local error
+	local update=""
+
+	mwan3_push_update -! create mwan3_dynamic_ipv4 list:set
+	mwan3_push_update flush mwan3_dynamic_ipv4
+
+	if [ $NO_IPV6 -eq 0 ]; then
+		mwan3_push_update -! create mwan3_dynamic_ipv6 hash:net family inet6
+		mwan3_push_update flush mwan3_dynamic_ipv6
+	fi
+
+	echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/ipset-set_dynamic_ipset.dump"
+	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_dynamic_ipset: $error"
+}
+
 mwan3_set_general_rules()
 {
 	local IP
@ -246,7 +255,8 @@ mwan3_set_general_rules()

 mwan3_set_general_iptables()
 {
-	local IPT current update error
+	local IPT current update error family
+
 	for IPT in "$IPT4" "$IPT6"; do
 		[ "$IPT" = "$IPT6" ] && [ $NO_IPV6 -ne 0 ] && continue
 		current="$($IPT -S)"$'\n'
@ -255,14 +265,23 @@ mwan3_set_general_iptables()
 			mwan3_push_update -N mwan3_ifaces_in
 		fi

-		if [ -n "${current##*-N mwan3_connected*}" ]; then
-			mwan3_push_update -N mwan3_connected
-			$IPS -! create mwan3_connected list:set
-			mwan3_push_update -A mwan3_connected \
-					  -m set --match-set mwan3_connected dst \
-					  -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
+		if [ "$IPT" = "$IPT6" ]; then
+			family="ipv6"
+		else
+			family="ipv4"
 		fi

+		for chain in custom connected dynamic; do
+			echo "${current}" | grep -q "\-N mwan3_${chain}_${family}$"
+			local ret="$?"
+			if [ "$ret" = 1 ]; then
+				mwan3_push_update -N mwan3_${chain}_${family}
+				mwan3_push_update -A mwan3_${chain}_${family} \
+					-m set --match-set mwan3_${chain}_${family} dst \
+					-j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
+			fi
+		done
+
 		if [ -n "${current##*-N mwan3_rules*}" ]; then
 			mwan3_push_update -N mwan3_rules
 		fi
@ -299,17 +318,24 @@ mwan3_set_general_iptables()
 			mwan3_push_update -A mwan3_hook \
 					  -m mark --mark 0x0/$MMX_MASK \
 					  -j mwan3_ifaces_in
-			mwan3_push_update -A mwan3_hook \
-					  -m mark --mark 0x0/$MMX_MASK \
-					  -j mwan3_connected
+
+			for chain in custom connected dynamic; do
+				mwan3_push_update -A mwan3_hook \
+					-m mark --mark 0x0/$MMX_MASK \
+					-j mwan3_${chain}_${family}
+			done
+
 			mwan3_push_update -A mwan3_hook \
 					  -m mark --mark 0x0/$MMX_MASK \
 					  -j mwan3_rules
 			mwan3_push_update -A mwan3_hook \
 					  -j CONNMARK --save-mark --nfmask "$MMX_MASK" --ctmask "$MMX_MASK"
-			mwan3_push_update -A mwan3_hook \
-					  -m mark ! --mark $MMX_DEFAULT/$MMX_MASK \
-					  -j mwan3_connected
+
+			for chain in custom connected dynamic; do
+				mwan3_push_update -A mwan3_hook \
+					-m mark ! --mark $MMX_DEFAULT/$MMX_MASK \
+					-j mwan3_${chain}_${family}
+			done
 		fi

 		if [ -n "${current##*-A PREROUTING -j mwan3_hook*}" ]; then
@ -320,10 +346,12 @@ mwan3_set_general_iptables()
 		fi
 		mwan3_push_update COMMIT
 		mwan3_push_update ""
+
+		echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/iptables-set_general_iptables-${family}.dump"
 		if [ "$IPT" = "$IPT4" ]; then
-			error=$(echo "$update" | $IPT4R 2>&1) || LOG error "set_general_iptables: $error"
+			error=$(echo "$update" | $IPT4R 2>&1) || LOG error "set_general_iptables (${family}): $error"
 		else
-			error=$(echo "$update" | $IPT6R 2>&1) || LOG error "set_general_iptables: $error"
+			error=$(echo "$update" | $IPT6R 2>&1) || LOG error "set_general_iptables (${family}): $error"
 		fi
 	done
 }
@ -359,12 +387,14 @@ mwan3_create_iface_iptables()
 		mwan3_push_update -F "mwan3_iface_in_$1"
 	fi

-	mwan3_push_update -A "mwan3_iface_in_$1" \
-			  -i "$2" \
-			  -m set --match-set mwan3_connected src \
-			  -m mark --mark "0x0/$MMX_MASK" \
-			  -m comment --comment "default" \
-			  -j MARK --set-xmark "$MMX_DEFAULT/$MMX_MASK"
+	for chain in custom connected dynamic; do
+		mwan3_push_update -A "mwan3_iface_in_$1" \
+			-i "$2" \
+			-m set --match-set mwan3_${chain}_${family} src \
+			-m mark --mark "0x0/$MMX_MASK" \
+			-m comment --comment "default" \
+			-j MARK --set-xmark "$MMX_DEFAULT/$MMX_MASK"
+	done
 	mwan3_push_update -A "mwan3_iface_in_$1" \
 			  -i "$2" \
 			  -m mark --mark "0x0/$MMX_MASK" \
@ -382,13 +412,14 @@ mwan3_create_iface_iptables()

 	mwan3_push_update COMMIT
 	mwan3_push_update ""
-	error=$(echo "$update" | $IPTR 2>&1) || LOG error "create_iface_iptables: $error"

+	echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/iptables-create_iface_iptables-${1}.dump"
+	error=$(echo "$update" | $IPTR 2>&1) || LOG error "create_iface_iptables (${1}): $error"
 }

 mwan3_delete_iface_iptables()
 {
-	local IPT
+	local IPT update
 	config_get family "$1" family ipv4

 	if [ "$family" = "ipv4" ]; then
@ -400,12 +431,19 @@ mwan3_delete_iface_iptables()
 		IPT="$IPT6"
 	fi

-	$IPT -D mwan3_ifaces_in \
-	     -m mark --mark 0x0/$MMX_MASK \
-	     -j "mwan3_iface_in_$1" &> /dev/null
-	$IPT -F "mwan3_iface_in_$1" &> /dev/null
-	$IPT -X "mwan3_iface_in_$1" &> /dev/null
+	update="*mangle"

+	mwan3_push_update -D mwan3_ifaces_in \
+		-m mark --mark 0x0/$MMX_MASK \
+		-j "mwan3_iface_in_$1" &> /dev/null
+	mwan3_push_update -F "mwan3_iface_in_$1" &> /dev/null
+	mwan3_push_update -X "mwan3_iface_in_$1" &> /dev/null
+
+	mwan3_push_update COMMIT
+	mwan3_push_update ""
+
+	echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/iptables-delete_iface_iptables-${1}.dump"
+	error=$(echo "$update" | $IPTR 2>&1) || LOG error "delete_iface_iptables (${1}): $error"
 }

 mwan3_extra_tables_routes()
@ -623,8 +661,9 @@ mwan3_set_policy()
 	fi
 	mwan3_push_update COMMIT
 	mwan3_push_update ""
-	error=$(echo "$update" | $IPTR 2>&1) || LOG error "set_policy ($1): $error"

+	echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/iptables-set_policy-${1}.dump"
+	error=$(echo "$update" | $IPTR 2>&1) || LOG error "set_policy ($1): $error"
 }

 mwan3_create_policies_iptables()
@ -671,6 +710,8 @@ mwan3_create_policies_iptables()
 		esac
 		mwan3_push_update COMMIT
 		mwan3_push_update ""
+
+		echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/iptables-create_policies_iptables-${1}.dump"
 		if [ "$IPT" = "$IPT4" ]; then
 			error=$(echo "$update" | $IPT4R 2>&1) || LOG error "create_policies_iptables ($1): $error"
 		else
@ -694,17 +735,22 @@ mwan3_set_policies_iptables()

 mwan3_set_sticky_iptables()
 {
+	local rule="${1}"
+	local interface="${2}"
+	local ipv="${3}"
+	local policy="${4}"
+
 	local id iface
 	for iface in $(echo "$current" | grep "^-A $policy" | cut -s -d'"' -f2 | awk '{print $1}'); do
-		if [ "$iface" = "$1" ]; then
+		if [ "$iface" = "$interface" ]; then

-			mwan3_get_iface_id id "$1"
+			mwan3_get_iface_id id "$iface"

 			[ -n "$id" ] || return 0
-			if [ -z "${current##*-N mwan3_iface_in_$1$'\n'*}" ]; then
+			if [ -z "${current##*-N mwan3_iface_in_${iface}$'\n'*}" ]; then
 				mwan3_push_update -I "mwan3_rule_$rule" \
 						  -m mark --mark "$(mwan3_id2mask id MMX_MASK)/$MMX_MASK" \
-						  -m set ! --match-set "mwan3_sticky_$rule" src,src \
+						  -m set ! --match-set "mwan3_sticky_${ipv}_${rule}" src,src \
 						  -j MARK --set-xmark "0x0/$MMX_MASK"
 				mwan3_push_update -I "mwan3_rule_$rule" \
 						  -m mark --mark "0/$MMX_MASK" \
@ -714,6 +760,28 @@ mwan3_set_sticky_iptables()
 	done
 }

+mwan3_set_sticky_ipset()
+{
+	local rule="$1"
+	local mmx="$2"
+	local timeout="$3"
+
+	local error
+	local update=""
+
+	mwan3_push_update -! create "mwan3_sticky_ipv4_$rule" \
+		hash:ip,mark markmask "$mmx" \
+		timeout "$timeout"
+
+	[ $NO_IPV6 -eq 0 ] &&
+		mwan3_push_update -! create "mwan3_sticky_ipv6_$rule" \
+			hash:ip,mark markmask "$mmx" \
+			timeout "$timeout" family inet6
+
+	echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/ipset-set_sticky_ipset-${rule}.dump"
+	error=$(echo "$update" | $IPS restore 2>&1) || LOG error "set_sticky_ipset (${rule}): $error"
+}
+
 mwan3_set_user_iptables_rule()
 {
 	local ipset family proto policy src_ip src_port src_iface src_dev
@ -797,17 +865,7 @@ mwan3_set_user_iptables_rule()
 		rule_policy=1
 		policy="mwan3_policy_$use_policy"
 		if [ "$sticky" -eq 1 ]; then
-			$IPS -! create "mwan3_sticky_v4_$rule" \
-			     hash:ip,mark markmask "$MMX_MASK" \
-			     timeout "$timeout"
-			[ $NO_IPV6 -eq 0 ] &&
-				$IPS -! create "mwan3_sticky_v6_$rule" \
-				     hash:ip,mark markmask "$MMX_MASK" \
-				     timeout "$timeout" family inet6
-			$IPS -! create "mwan3_sticky_$rule" list:set
-			$IPS -! add "mwan3_sticky_$rule" "mwan3_sticky_v4_$rule"
-			[ $NO_IPV6 -eq 0 ] &&
-				$IPS -! add "mwan3_sticky_$rule" "mwan3_sticky_v6_$rule"
+			mwan3_set_sticky_ipset "$rule" "$MMX_MASK" "$timeout"
 		fi
 	fi

@ -821,7 +879,7 @@ mwan3_set_user_iptables_rule()
 		fi

 		mwan3_push_update -F "mwan3_rule_$1"
-		config_foreach mwan3_set_sticky_iptables interface $ipv
+		config_foreach mwan3_set_sticky_iptables interface $ipv "$policy"


 		mwan3_push_update -A "mwan3_rule_$1" \
@ -829,10 +887,10 @@ mwan3_set_user_iptables_rule()
 				  -j "$policy"
 		mwan3_push_update -A "mwan3_rule_$1" \
 				  -m mark ! --mark 0xfc00/0xfc00 \
-				  -j SET --del-set "mwan3_sticky_$rule" src,src
+				  -j SET --del-set "mwan3_sticky_${ipv}_${rule}" src,src
 		mwan3_push_update -A "mwan3_rule_$1" \
 				  -m mark ! --mark 0xfc00/0xfc00 \
-				  -j SET --add-set "mwan3_sticky_$rule" src,src
+				  -j SET --add-set "mwan3_sticky_${ipv}_${rule}" src,src
 		policy="mwan3_rule_$1"
 	fi
 	if [ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ]; then
@ -924,7 +982,9 @@ mwan3_set_user_rules()

 		mwan3_push_update COMMIT
 		mwan3_push_update ""
-		error=$(echo "$update" | $IPTR 2>&1) || LOG error "set_user_rules: $error"
+
+		echo "$update" > "${MWAN3_STATUS_IPTABLES_LOG_DIR}/iptables-set_user_rules-${ipv}.dump"
+		error=$(echo "$update" | $IPTR 2>&1) || LOG error "set_user_rules (${ipv}): $error"
 	done


@ -1117,15 +1177,15 @@ mwan3_report_policies_v6()

 mwan3_report_connected_v4()
 {
-	if [ -n "$($IPT4 -S mwan3_connected 2> /dev/null)" ]; then
-		$IPS -o save list mwan3_connected_v4 | grep add | cut -d " " -f 3
+	if [ -n "$($IPT4 -S mwan3_connected_ipv4 2> /dev/null)" ]; then
+		$IPS -o save list mwan3_connected_ipv4 | grep add | cut -d " " -f 3
 	fi
 }

 mwan3_report_connected_v6()
 {
-	if [ -n "$($IPT6 -S mwan3_connected 2> /dev/null)" ]; then
-		$IPS -o save list mwan3_connected_v6 | grep add | cut -d " " -f 3
+	if [ -n "$($IPT6 -S mwan3_connected_ipv6 2> /dev/null)" ]; then
+		$IPS -o save list mwan3_connected_ipv6 | grep add | cut -d " " -f 3
 	fi
 }

--- a/net/mwan3/files/usr/libexec/rpcd/mwan3
+++ b/net/mwan3/files/usr/libexec/rpcd/mwan3
@ -5,10 +5,6 @@
 . /usr/share/libubox/jshn.sh
 . /lib/mwan3/common.sh

-IPS="ipset"
-IPT4="iptables -t mangle -w"
-IPT6="ip6tables -t mangle -w"
-
 report_connected_v4() {
 	local address

--- a/net/mwan3/files/usr/sbin/mwan3
+++ b/net/mwan3/files/usr/sbin/mwan3
@ -4,7 +4,6 @@
 . /usr/share/libubox/jshn.sh
 . /lib/functions/network.sh
 . /lib/mwan3/mwan3.sh
-. /lib/mwan3/common.sh

 command_help() {
 	local cmd="$1"
--- a/net/mwan3/files/usr/sbin/mwan3rtmon
+++ b/net/mwan3/files/usr/sbin/mwan3rtmon
@ -3,7 +3,6 @@
 . /lib/functions.sh
 . /lib/functions/network.sh
 . /lib/mwan3/mwan3.sh
-. /lib/mwan3/common.sh

 trap_with_arg()
 {