Merge pull request #12069 from stangri/master-vpn-policy-routing
vpn-policy-routing: bugfix: remove non-ASCII from log; update README
This commit is contained in:
Rosen Penev
GitHub
commit
d654eedc8f
3 changed files with 83 additions and 44 deletions
|
|
@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=vpn-policy-routing
|
PKG_NAME:=vpn-policy-routing
|
||||||
PKG_VERSION:=0.2.1
|
PKG_VERSION:=0.2.1
|
||||||
PKG_RELEASE:=7
|
PKG_RELEASE:=9
|
||||||
PKG_LICENSE:=GPL-3.0-or-later
|
PKG_LICENSE:=GPL-3.0-or-later
|
||||||
PKG_MAINTAINER:=Stan Grishin <stangri@melmac.net>
|
PKG_MAINTAINER:=Stan Grishin <stangri@melmac.net>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
## Description
|
## Description
|
||||||
|
|
||||||
This service allows you to define rules (policies) for routing traffic via WAN or your L2TP, Openconnect, OpenVPN, PPTP or Wireguard tunnels. Policies can be set based on any combination of local/remote ports, local/remote IPv4 or IPv6 addresses/subnets or domains. This service supersedes the [VPN Bypass](https://github.com/openwrt/packages/blob/master/net/vpnbypass/files/README.md) service, by supporting IPv6 and by allowing you to set explicit rules not just for WAN interface (bypassing OpenVPN tunnel), but for L2TP, Openconnect, OpenVPN, PPTP and Wireguard tunnels as well.
|
This service allows you to define rules (policies) for routing traffic via WAN or your L2TP, Openconnect, OpenVPN, PPTP or Wireguard tunnels. Policies can be set based on any combination of local/remote ports, local/remote IPv4 or IPv6 addresses/subnets or domains. This service supersedes the ```VPN Bypass``` available on [GitHub](https://github.com/openwrt/packages/blob/master/net/vpnbypass/files/README.md)/[jsDelivr](https://cdn.jsdelivr.net/gh/openwrt/packages@master/net/vpnbypass/files/README.md) service, by supporting IPv6 and by allowing you to set explicit rules not just for WAN interface (bypassing OpenVPN tunnel), but for L2TP, Openconnect, OpenVPN, PPTP and Wireguard tunnels as well.
|
||||||
|
|
||||||
## Features
|
## Features
|
||||||
|
|
||||||
|
|
@ -56,25 +56,25 @@ Two example custom user-files are provided: ```/etc/vpn-policy-routing.aws.user`
|
||||||
## Screenshots (luci-app-vpn-policy-routing)
|
## Screenshots (luci-app-vpn-policy-routing)
|
||||||
|
|
||||||
Service Status
|
Service Status
|
||||||
|
|
||||||
|
|
||||||
Configuration - Basic Configuration
|
Configuration - Basic Configuration
|
||||||
|
|
||||||
|
|
||||||
Configuration - Advanced Configuration
|
Configuration - Advanced Configuration
|
||||||
|
|
||||||
|
|
||||||
Configuration - WebUI Configuration
|
Configuration - WebUI Configuration
|
||||||
|
|
||||||
|
|
||||||
Policies
|
Policies
|
||||||
|
|
||||||
|
|
||||||
DSCP Tagging
|
DSCP Tagging
|
||||||
|
|
||||||
|
|
||||||
Custom User File Includes
|
Custom User File Includes
|
||||||
|
|
||||||
|
|
||||||
## How It Works
|
## How It Works
|
||||||
|
|
||||||
|
|
@ -105,7 +105,7 @@ opkg update
|
||||||
opkg install vpn-policy-routing luci-app-vpn-policy-routing
|
opkg install vpn-policy-routing luci-app-vpn-policy-routing
|
||||||
```
|
```
|
||||||
|
|
||||||
If these packages are not found in the official feed/repo for your version of OpenWrt/LEDE Project, you will need to [add a custom repo to your router](https://github.com/stangri/openwrt_packages/blob/master/README.md#on-your-router) first.
|
If these packages are not found in the official feed/repo for your version of OpenWrt/LEDE Project, you will need to add a custom repo to your router following instructions on [GitHub](https://github.com/stangri/openwrt_packages/blob/master/README.md#on-your-router)/[jsDelivr](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/README.md#on-your-router) first.
|
||||||
|
|
||||||
### Requirements
|
### Requirements
|
||||||
|
|
||||||
|
|
@ -647,7 +647,7 @@ config rule
|
||||||
|
|
||||||
#### Netflix Domains
|
#### Netflix Domains
|
||||||
|
|
||||||
The following policy should route US Netflix traffic via WAN. For capturing international Netflix domain names, you can refer to [these getdomainnames.sh-specific instructions](https://github.com/Xentrk/netflix-vpn-bypass#ipset_netflix_domainssh) and don't forget to adjust them for OpenWrt. This may not work if Netflix changes things. For more reliable US Netflix routing you may want to consider using [custom user files](#custom-user-files).
|
The following policy should route US Netflix traffic via WAN. For capturing international Netflix domain names, you can refer to the getdomainnames.sh-specific instructions on [GitHub](https://github.com/Xentrk/netflix-vpn-bypass/blob/master/README.md#ipset_netflix_domainssh)/[jsDelivr](https://cdn.jsdelivr.net/gh/Xentrk/openwrt_packages@master/netflix-vpn-bypass/README.md#ipset_netflix_domainssh) and don't forget to adjust them for OpenWrt. This may not work if Netflix changes things. For more reliable US Netflix routing you may want to consider using [custom user files](#custom-user-files).
|
||||||
|
|
||||||
```text
|
```text
|
||||||
config policy
|
config policy
|
||||||
|
|
@ -780,8 +780,12 @@ config vpn-policy-routing 'config'
|
||||||
|
|
||||||
### A Word About Default Routing
|
### A Word About Default Routing
|
||||||
|
|
||||||
Service does not alter the default routing. Depending on your VPN tunnel settings (and settings of the VPN server you are connecting to), the default routing might be set to go via WAN or via VPN tunnel. This service affects only routing of the traffic matching the policies. If you want to override default routing, set the following:
|
Service does not alter the default routing. Depending on your VPN tunnel settings (and settings of the VPN server you are connecting to), the default routing might be set to go via WAN or via VPN tunnel. This service affects only routing of the traffic matching the policies. If you want to override default routing, follow the instructions below.
|
||||||
|
|
||||||
|
#### OpenVPN tunnel configured via uci (/etc/config/openvpn)
|
||||||
|
|
||||||
|
Set the following to the appropriate section of your ```/etc/config/openvpn```:
|
||||||
|
|
||||||
- For OpenVPN 2.4 and newer client config:
|
- For OpenVPN 2.4 and newer client config:
|
||||||
|
|
||||||
```text
|
```text
|
||||||
|
|
@ -800,7 +804,31 @@ Service does not alter the default routing. Depending on your VPN tunnel setting
|
||||||
option route_allowed_ips '0'
|
option route_allowed_ips '0'
|
||||||
```
|
```
|
||||||
|
|
||||||
- Routing Wireguard traffic requires setting `rp_filter = 2`. Please refer to [issue #41](https://github.com/stangri/openwrt_packages/issues/41) for more details.
|
#### OpenVPN tunnel configured with .ovpn file
|
||||||
|
|
||||||
|
Set the following to the appropriate section of your ```.ovpn``` file:
|
||||||
|
|
||||||
|
- For OpenVPN 2.4 and newer client ```.ovpn``` file:
|
||||||
|
|
||||||
|
```text
|
||||||
|
pull_filter 'ignore "redirect-gateway"'
|
||||||
|
```
|
||||||
|
|
||||||
|
- For OpenVPN 2.3 and older client ```.ovpn``` file:
|
||||||
|
|
||||||
|
```text
|
||||||
|
route_nopull '1'
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Wireguard tunnel
|
||||||
|
|
||||||
|
- For your Wireguard (client) config:
|
||||||
|
|
||||||
|
```text
|
||||||
|
option route_allowed_ips '0'
|
||||||
|
```
|
||||||
|
|
||||||
|
- Routing Wireguard traffic may require setting `net.ipv4.conf.wg0.rp_filter = 2` in `/etc/sysctl.conf`. Please refer to [issue #41](https://github.com/stangri/openwrt_packages/issues/41) for more details.
|
||||||
|
|
||||||
### A Word About HTTP/3 (QUICK)
|
### A Word About HTTP/3 (QUICK)
|
||||||
|
|
||||||
|
|
@ -810,9 +838,9 @@ If you want to target traffic using HTTP/3 protocol, you can use the ```AUTO```
|
||||||
|
|
||||||
Some browsers, like [Mozilla Firefox](https://support.mozilla.org/en-US/kb/firefox-dns-over-https#w_about-dns-over-https) or [Google Chrome/Chromium](https://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html) have [DNS-over-HTTPS proxy](https://en.wikipedia.org/wiki/DNS_over_HTTPS) built-in. Their requests to web-sites cannot be affected if the ```dnsmasq.ipset``` is set for the ```dest_ipset``` option. To fix this, you can try either of the following:
|
Some browsers, like [Mozilla Firefox](https://support.mozilla.org/en-US/kb/firefox-dns-over-https#w_about-dns-over-https) or [Google Chrome/Chromium](https://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html) have [DNS-over-HTTPS proxy](https://en.wikipedia.org/wiki/DNS_over_HTTPS) built-in. Their requests to web-sites cannot be affected if the ```dnsmasq.ipset``` is set for the ```dest_ipset``` option. To fix this, you can try either of the following:
|
||||||
|
|
||||||
1. Disable the DNS-over-HTTPS support in your browser and use the OpenWrt's [net/https-dns-proxy](https://github.com/openwrt/packages/tree/master/net/https-dns-proxy) package with optional [https-dns-proxy luci app](https://github.com/openwrt/luci/tree/master/applications/luci-app-https_dns_proxy). You can then continue to use ```dnsmasq.ipset``` setting for the ```dest_ipset``` in VPN Policy Routing.
|
1. Disable the DNS-over-HTTPS support in your browser and use the OpenWrt's ```net/https-dns-proxy``` (README on [GitHub](https://github.com/openwrt/packages/tree/master/net/https-dns-proxy)/[jsDelivr](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/https-dns-proxy/files/README.md)) package with optional ```https-dns-proxy``` WebUI/luci app. You can then continue to use ```dnsmasq.ipset``` setting for the ```dest_ipset``` in VPN Policy Routing.
|
||||||
|
|
||||||
2. Continue using DNS-over-HTTPS in your browser (which, by the way, also limits your options for router-level AdBlocking as described [in ```dnsmasq.ipset``` option description here](https://github.com/openwrt/packages/tree/master/net/simple-adblock/files#dns-resolution-option)), you than would either have to disable the ```dest_ipset``` or switch it to ```ipset```. Please note, you will lose all the benefits of [```dnsmasq.ipset```](#use-dnsmasq-ipset) option.
|
2. Continue using DNS-over-HTTPS in your browser (which, by the way, also limits your options for router-level AdBlocking as described in ```dnsmasq.ipset``` option description here of ```net/simple-adblock``` README on [GitHub](https://github.com/openwrt/packages/tree/master/net/simple-adblock/files#dns-resolution-option)/[jsDelivr](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/simple-adblock/files/README.md#dns-resolution-option)), you than would either have to disable the ```dest_ipset``` or switch it to ```ipset```. Please note, you will lose all the benefits of [```dnsmasq.ipset```](#use-dnsmasq-ipset) option.
|
||||||
|
|
||||||
### A Word About Cloudflare's 1.1.1.1 App
|
### A Word About Cloudflare's 1.1.1.1 App
|
||||||
|
|
||||||
|
|
@ -843,4 +871,4 @@ WARNING: while paste.ee uploads are unlisted/not indexed at the web-site, they a
|
||||||
|
|
||||||
## Thanks
|
## Thanks
|
||||||
|
|
||||||
I'd like to thank everyone who helped create, test and troubleshoot this service. Without contributions from [@hnyman](https://github.com/hnyman), [@dibdot](https://github.com/dibdot), [@danrl](https://github.com/danrl), [@tohojo](https://github.com/tohojo), [@cybrnook](https://github.com/cybrnook), [@nidstigator](https://github.com/nidstigator), [@AndreBL](https://github.com/AndreBL), [@dz0ny](https://github.com/dz0ny), rigorous testing/bugreporting by [@dziny](https://github.com/dziny), [@bluenote73](https://github.com/bluenote73), [@buckaroo](https://github.com/pgera), [@Alexander-r](https://github.com/Alexander-r), [n8v8R](https://github.com/n8v8R), [psherman](https://forum.openwrt.org/u/psherman), multiple contributions from [dl12345](https://github.com/dl12345), [trendy](https://forum.openwrt.org/u/trendy) and feedback from other OpenWrt users it wouldn't have been possible. Wireguard/IPv6 support is courtesy of [Mullvad](https://www.mullvad.net), [IVPN](https://www.ivpn.net/) and [WireVPN](https://www.wirevpn.net).
|
I'd like to thank everyone who helped create, test and troubleshoot this service. Without contributions from [@hnyman](https://github.com/hnyman), [@dibdot](https://github.com/dibdot), [@danrl](https://github.com/danrl), [@tohojo](https://github.com/tohojo), [@cybrnook](https://github.com/cybrnook), [@nidstigator](https://github.com/nidstigator), [@AndreBL](https://github.com/AndreBL), [@dz0ny](https://github.com/dz0ny), rigorous testing/bugreporting by [@dziny](https://github.com/dziny), [@bluenote73](https://github.com/bluenote73), [@buckaroo](https://github.com/pgera), [@Alexander-r](https://github.com/Alexander-r), [n8v8R](https://github.com/n8v8R), [psherman](https://forum.openwrt.org/u/psherman), multiple contributions from [dl12345](https://github.com/dl12345), [trendy](https://forum.openwrt.org/u/trendy) and feedback from other OpenWrt users it wouldn't have been possible. Wireguard/IPv6 support is courtesy of [Mullvad](https://www.mullvad.net) and [IVPN](https://www.ivpn.net/).
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
#!/bin/sh /etc/rc.common
|
#!/bin/sh /etc/rc.common
|
||||||
# Copyright 2017-2019 Stan Grishin (stangri@melmac.net)
|
# Copyright 2017-2020 Stan Grishin (stangri@melmac.net)
|
||||||
# shellcheck disable=SC2039,SC1091,SC2018,SC2019
|
# shellcheck disable=SC2039,SC1091,SC2018,SC2019
|
||||||
PKG_VERSION='dev-test'
|
PKG_VERSION='dev-test'
|
||||||
|
|
||||||
|
|
@ -13,8 +13,7 @@ readonly __FAIL__='\033[0;31m[\xe2\x9c\x97]\033[0m'
|
||||||
readonly __PASS__='\033[0;33m[-]\033[0m'
|
readonly __PASS__='\033[0;33m[-]\033[0m'
|
||||||
readonly _ERROR_='\033[0;31mERROR\033[0m'
|
readonly _ERROR_='\033[0;31mERROR\033[0m'
|
||||||
readonly _WARNING_='\033[0;33mWARNING\033[0m'
|
readonly _WARNING_='\033[0;33mWARNING\033[0m'
|
||||||
# readonly readmeURL="https://github.com/openwrt/packages/tree/master/net/vpn-policy-routing/files/README.md"
|
readonly readmeURL="https://github.com/openwrt/packages/tree/master/net/vpn-policy-routing/files/README.md"
|
||||||
readonly readmeURL="https://github.com/stangri/openwrt_packages/blob/master/vpn-policy-routing/files/README.md"
|
|
||||||
|
|
||||||
export EXTRA_COMMANDS='support'
|
export EXTRA_COMMANDS='support'
|
||||||
export EXTRA_HELP=" support Generates output required to troubleshoot routing issues
|
export EXTRA_HELP=" support Generates output required to troubleshoot routing issues
|
||||||
|
|
@ -28,6 +27,7 @@ readonly serviceName="$packageName $PKG_VERSION"
|
||||||
readonly PID="/var/run/${packageName}.pid"
|
readonly PID="/var/run/${packageName}.pid"
|
||||||
readonly dnsmasqFile="/var/dnsmasq.d/${packageName}"
|
readonly dnsmasqFile="/var/dnsmasq.d/${packageName}"
|
||||||
readonly userFile="/etc/${packageName}.user"
|
readonly userFile="/etc/${packageName}.user"
|
||||||
|
readonly sharedMemoryOutput="/dev/shm/$packageName-output"
|
||||||
create_lock() { [ -e "$PID" ] && return 1; touch "$PID"; }
|
create_lock() { [ -e "$PID" ] && return 1; touch "$PID"; }
|
||||||
remove_lock() { [ -e "$PID" ] && rm -f "$PID"; }
|
remove_lock() { [ -e "$PID" ] && rm -f "$PID"; }
|
||||||
trap remove_lock EXIT
|
trap remove_lock EXIT
|
||||||
|
|
@ -45,17 +45,19 @@ str_extras_to_space() { echo "$1" | tr ';{}' ' '; }
|
||||||
output() {
|
output() {
|
||||||
# Can take a single parameter (text) to be output at any verbosity
|
# Can take a single parameter (text) to be output at any verbosity
|
||||||
# Or target verbosity level and text to be output at specifc verbosity
|
# Or target verbosity level and text to be output at specifc verbosity
|
||||||
local msg
|
local msg memmsg logmsg
|
||||||
if [ $# -ne 1 ]; then
|
if [ $# -ne 1 ]; then
|
||||||
if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi
|
if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi
|
||||||
fi
|
fi
|
||||||
[ -t 1 ] && printf "%b" "$1"
|
[ -t 1 ] && printf "%b" "$1"
|
||||||
msg="${1//$serviceName /service }";
|
msg="${1//$serviceName /service }";
|
||||||
if [ "$(printf "%b" "$msg" | wc -l)" -gt 0 ]; then
|
if [ "$(printf "%b" "$msg" | wc -l)" -gt 0 ]; then
|
||||||
logger -t "${packageName:-service} [$$]" "$(printf "%b" "${logmsg}${msg}")"
|
[ -s "$sharedMemoryOutput" ] && memmsg="$(cat "$sharedMemoryOutput")"
|
||||||
logmsg=''
|
logmsg="$(printf "%b" "${memmsg}${msg}" | sed 's/\x1b\[[0-9;]*m//g')"
|
||||||
|
logger -t "${packageName:-service} [$$]" "$(printf "%b" "$logmsg")"
|
||||||
|
rm -f "$sharedMemoryOutput"
|
||||||
else
|
else
|
||||||
logmsg="${logmsg}${msg}"
|
printf "%b" "$msg" >> "$sharedMemoryOutput"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
is_installed() { [ -s "/usr/lib/opkg/info/${1}.control" ]; }
|
is_installed() { [ -s "/usr/lib/opkg/info/${1}.control" ]; }
|
||||||
|
|
@ -243,6 +245,9 @@ ipt_cleanup() {
|
||||||
for i in PREROUTING FORWARD INPUT OUTPUT; do
|
for i in PREROUTING FORWARD INPUT OUTPUT; do
|
||||||
while iptables -t mangle -D $i -m mark --mark 0x0/0xff0000 -j VPR_${i} >/dev/null 2>&1; do : ; done
|
while iptables -t mangle -D $i -m mark --mark 0x0/0xff0000 -j VPR_${i} >/dev/null 2>&1; do : ; done
|
||||||
done
|
done
|
||||||
|
for i in PREROUTING FORWARD INPUT OUTPUT; do
|
||||||
|
while iptables -t mangle -D $i -j VPR_${i} >/dev/null 2>&1; do : ; done
|
||||||
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
|
|
@ -313,7 +318,7 @@ insert_tor_policy() {
|
||||||
local comment="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto="$7" chain="${8:-PREROUTING}"
|
local comment="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto="$7" chain="${8:-PREROUTING}"
|
||||||
local mark=$(eval echo "\$mark_${iface//-/_}")
|
local mark=$(eval echo "\$mark_${iface//-/_}")
|
||||||
[ -z "$mark" ] && processPolicyError="${processPolicyError}${_ERROR_}: Unknown fw_mark for ${iface}##"
|
[ -z "$mark" ] && processPolicyError="${processPolicyError}${_ERROR_}: Unknown fw_mark for ${iface}##"
|
||||||
param="-t mangle $insertOption VPR_${chain} 1 -j MARK --set-xmark ${mark}/${fwMask}"
|
param="-t mangle $insertOption VPR_${chain} -j MARK --set-xmark ${mark}/${fwMask}"
|
||||||
[ -n "$laddr" ] && param="$param -s $laddr"
|
[ -n "$laddr" ] && param="$param -s $laddr"
|
||||||
[ -n "$lport" ] && param="$param -p tcp -m multiport --sport ${lport//-/:}"
|
[ -n "$lport" ] && param="$param -p tcp -m multiport --sport ${lport//-/:}"
|
||||||
[ -n "$raddr" ] && param="$param -d $raddr"
|
[ -n "$raddr" ] && param="$param -d $raddr"
|
||||||
|
|
@ -331,6 +336,9 @@ insert_policy() {
|
||||||
is_ipv6 "$raddr" && return 0
|
is_ipv6 "$raddr" && return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if is_ipv4 "$laddr" && is_ipv6 "$raddr"; then return 0; fi
|
||||||
|
if is_ipv6 "$laddr" && is_ipv4 "$raddr"; then return 0; fi
|
||||||
|
|
||||||
if [ -z "$mark" ]; then
|
if [ -z "$mark" ]; then
|
||||||
processPolicyError="${processPolicyError}${_ERROR_}: Unknown fw_mark for ${iface}##"
|
processPolicyError="${processPolicyError}${_ERROR_}: Unknown fw_mark for ${iface}##"
|
||||||
return 0
|
return 0
|
||||||
|
|
@ -597,19 +605,21 @@ table_create(){
|
||||||
fi
|
fi
|
||||||
if [ -n "$remoteIpset" ]; then
|
if [ -n "$remoteIpset" ]; then
|
||||||
if ips 'create' "${iface}" 'hash:net comment' && ips 'flush' "${iface}"; then
|
if ips 'create' "${iface}" 'hash:net comment' && ips 'flush' "${iface}"; then
|
||||||
ipt -t mangle -I VPR_PREROUTING -m set --match-set "${iface}" dst $appendRemotePolicy -j MARK --set-xmark "${mark}/${fwMask}" || s=1
|
for i in PREROUTING FORWARD INPUT OUTPUT; do
|
||||||
|
ipt -t mangle -I VPR_${i} -m set --match-set "${iface}" dst -j MARK --set-xmark "${mark}/${fwMask}" || s=1
|
||||||
|
done
|
||||||
else
|
else
|
||||||
s=1
|
s=1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "$localIpset" -ne 0 ]; then
|
if [ "$localIpset" -ne 0 ]; then
|
||||||
if ips 'create' "${iface}_ip" 'hash:net comment' && ips 'flush' "${iface}_ip"; then
|
if ips 'create' "${iface}_ip" 'hash:net comment' && ips 'flush' "${iface}_ip"; then
|
||||||
ipt -t mangle -I VPR_PREROUTING -m set --match-set "${iface}_ip" src $appendLocalPolicy -j MARK --set-mark "${mark}/${fwMask}" || s=1
|
ipt -t mangle -I VPR_PREROUTING -m set --match-set "${iface}_ip" src -j MARK --set-mark "${mark}/${fwMask}" || s=1
|
||||||
else
|
else
|
||||||
s=1
|
s=1
|
||||||
fi
|
fi
|
||||||
if ips 'create' "${iface}_mac" 'hash:mac comment' && ips 'flush' "${iface}_mac"; then
|
if ips 'create' "${iface}_mac" 'hash:mac comment' && ips 'flush' "${iface}_mac"; then
|
||||||
ipt -t mangle -I VPR_PREROUTING -m set --match-set "${iface}_mac" src $appendLocalPolicy -j MARK --set-mark "${mark}/${fwMask}" || s=1
|
ipt -t mangle -I VPR_PREROUTING -m set --match-set "${iface}_mac" src -j MARK --set-mark "${mark}/${fwMask}" || s=1
|
||||||
else
|
else
|
||||||
s=1
|
s=1
|
||||||
fi
|
fi
|
||||||
|
|
@ -781,7 +791,7 @@ start_service() {
|
||||||
|
|
||||||
for i in PREROUTING FORWARD INPUT OUTPUT; do
|
for i in PREROUTING FORWARD INPUT OUTPUT; do
|
||||||
ipt -t mangle -N "VPR_${i}"
|
ipt -t mangle -N "VPR_${i}"
|
||||||
ipt -t mangle "$insertOption" "$i" -m mark --mark "0x00/${fwMask}" -j "VPR_${i}"
|
ipt -t mangle "$insertOption" "$i" -m mark --mark "0x0/${fwMask}" -j "VPR_${i}"
|
||||||
done
|
done
|
||||||
|
|
||||||
output 1 'Processing Interfaces '
|
output 1 'Processing Interfaces '
|
||||||
|
|
@ -844,7 +854,7 @@ stop_service() {
|
||||||
if create_lock; then
|
if create_lock; then
|
||||||
load_package_config
|
load_package_config
|
||||||
for i in PREROUTING FORWARD INPUT OUTPUT; do
|
for i in PREROUTING FORWARD INPUT OUTPUT; do
|
||||||
ipt -t mangle -D "${i}" -m mark --mark "0x00/${fwMask}" -j "VPR_${i}"
|
ipt -t mangle -D "${i}" -m mark --mark "0x0/${fwMask}" -j "VPR_${i}"
|
||||||
ipt -t mangle -F "VPR_${i}"; ipt -t mangle -X "VPR_${i}";
|
ipt -t mangle -F "VPR_${i}"; ipt -t mangle -X "VPR_${i}";
|
||||||
done
|
done
|
||||||
config_load 'network'; config_foreach process_interface 'interface' 'destroy'
|
config_load 'network'; config_foreach process_interface 'interface' 'destroy'
|
||||||
|
|
@ -865,22 +875,23 @@ stop_service() {
|
||||||
|
|
||||||
# shellcheck disable=SC2119
|
# shellcheck disable=SC2119
|
||||||
service_triggers() {
|
service_triggers() {
|
||||||
local n
|
local n
|
||||||
is_enabled || return 1
|
is_enabled || return 1
|
||||||
|
|
||||||
procd_open_validate
|
procd_open_validate
|
||||||
validate_config
|
validate_config
|
||||||
validate_policy
|
validate_policy
|
||||||
validate_include
|
validate_include
|
||||||
procd_close_validate
|
procd_close_validate
|
||||||
|
|
||||||
procd_add_reload_trigger 'firewall' 'openvpn' 'vpn-policy-routing'
|
procd_add_reload_trigger 'firewall' 'openvpn' 'vpn-policy-routing'
|
||||||
procd_open_trigger
|
procd_open_trigger
|
||||||
for n in $ifSupported; do procd_add_reload_interface_trigger "$n"; procd_add_interface_trigger "interface.*" "$n" /etc/init.d/${packageName} reload; done;
|
for n in $ifSupported; do procd_add_reload_interface_trigger "$n"; procd_add_interface_trigger "interface.*" "$n" /etc/init.d/${packageName} reload; done;
|
||||||
# output "$serviceName monitoring interfaces: $ifSupported\\n"; # output_okn;
|
procd_close_trigger
|
||||||
# for n in $ifAll; do procd_add_reload_interface_trigger "$n"; procd_add_interface_trigger "interface.*" "$n" /etc/init.d/${packageName} reload; done;
|
|
||||||
# output "$serviceName monitoring ALL interfaces: $ifAll"; output_okn;
|
if [ "$verbosity" -eq 2 ]; then
|
||||||
procd_close_trigger
|
output "$serviceName monitoring interfaces: $ifSupported.\\n"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
input() { local data; while read -r data; do echo "$data" | tee -a /var/${packageName}-support; done; }
|
input() { local data; while read -r data; do echo "$data" | tee -a /var/${packageName}-support; done; }
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue