Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

cni-protocol: update protocol

Browse source 
Changes to protocol file and it's description.
Works better now and restarts firewall automaticly
when tunnel comes available. More informative/guiding
description.

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
This commit is contained in:
Oskari Rauta 2023-10-08 17:51:50 +03:00 committed by Tianling Shen
parent bf7ce353b8
commit ff93e4a19d
2 changed files with 65 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
net/cni-protocol/Makefile
View file

@ -1,7 +1,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=cni-protocol PKG_NAME:=cni-protocol
PKG_VERSION:=20230217 PKG_VERSION:=20231008
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_MAINTAINER:=Oskari Rauta <oskari.rauta@gmail.com> PKG_MAINTAINER:=Oskari Rauta <oskari.rauta@gmail.com>
@ -16,25 +16,44 @@ define Package/cni-protocol
endef endef
define Package/cni-protocol/description define Package/cni-protocol/description
protocol support for cni networks for netifd protocol support for netavark/cni networks for netifd
makes defining network for podman and other similar makes defining networks for podman and other similar
systems using cni networking much easier and simpler. systems easier and simple.
with cni protocol support, on a network, where firewall with protocol, a network where firewall and portmapper
and portmapper management is disabled, you may control management is disabled, control of firewalling, whether
firewalling with openwrt's default firewall configuration. it was exposing ports, and forwarding to them from wan,
or limiting/accepting access to other networks such
as lan can made through openwrt's own firewalling
configuration.
for example, create a container that hosts web content on example configuration could be as following:
port 80 with static ip on your cni network, if your - lan network: 10.0.0.0/16 (255.255.0.0)
network is 10.88.0.0/16, use for eg. 10.88.0.101 as - container network: 10.129.0.1/24 (255.255.255.0)
your containers static ip address. Create a zone, cni
to your firewall and add your interface to it.
Now you can easily set up redirectiong to 10.88.0.101:80 Add a network configuration for your container network
to expose it's port 80 to wan for serving your website. using cni protocol. Then create firewall zone for it.
Protocol has one setting: device, on podman this often You could create a new container/pod with static ip
is cni-podman0. address 10.129.0.2 (as 10.129.0.1 as container network's
gateway).
Easily define permissions so that local networks can
connect to cni network, but not the other way around.
Also you want to allow forwarding from/to wan.
Now, as cni cannot access local dns, make a rule for
your firewall to accept connections from cni network
to port 53 (dns).
Now all you have to do, is make redirects to your firewall
and point them to 10.129.0.2 and connections from wan are
redirectered to containers/pods.
Protocol has 2 settings: device and delay. Sometimes polling
interfaces takes some time, and in that case you might want
to add few seconds to delay. Otherwise, it can be excluded
from configuration.
endef endef
define Build/Configure define Build/Configure

44
net/cni-protocol/files/cni.sh
View file

@ -9,33 +9,50 @@
proto_cni_init_config() { proto_cni_init_config() {
no_device=0 no_device=0
available=0 available=0
no_proto_task=1
teardown_on_l3_link_down=1
proto_config_add_string "device:device" proto_config_add_string "device:device"
proto_config_add_int "delay"
} }
proto_cni_setup() { proto_cni_setup() {
local cfg="$1" local cfg="$1"
local device ipaddr netmask broadcast route routemask routesrc local iface="$2"
local device delay
json_get_var device device json_get_vars device delay
ipaddr=$(ip -4 -o a show "$device" | awk '{ print $4 }' | cut -d '/' -f1) [ -n "$device" ] || {
netmask=$(ip -4 -o a show "$device" | awk '{ print $4 }' | cut -d '/' -f2) echo "No cni interface specified"
broadcast=$(ip -4 -o a show "$device" | awk '{ print $6 }') proto_notify_error "$cfg" NO_DEVICE
route=$(ip -4 -o r show dev "$device" | awk '{ print $1 }' | cut -d '/' -f1) proto_set_available "$cfg" 0
routemask=$(ip -4 -o r show dev "$device" | awk '{ print $1 }' | cut -d '/' -f2) return 1
routesrc=$(ip -4 -o r show dev "$device" | awk '{ print $7 }') }
[ -n "$delay" ] && sleep "$delay"
[ -L "/sys/class/net/${iface}" ] || {
echo "The specified interface $iface is not present"
proto_notify_error "$cfg" NO_DEVICE
proto_set_available "$cfg" 0
return 1
}
local ipaddr netmask broadcast route routemask routesrc
ipaddr=$(ip -4 -o a show "$iface" | awk '{ print $4 }' | cut -d '/' -f1)
netmask=$(ip -4 -o a show "$iface" | awk '{ print $4 }' | cut -d '/' -f2)
broadcast=$(ip -4 -o a show "$iface" | awk '{ print $6 }')
route=$(ip -4 -o r show dev "$iface" | awk '{ print $1 }' | cut -d '/' -f1)
routemask=$(ip -4 -o r show dev "$iface" | awk '{ print $1 }' | cut -d '/' -f2)
routesrc=$(ip -4 -o r show dev "$iface" | awk '{ print $7 }')
[ -z "$ipaddr" ] && { [ -z "$ipaddr" ] && {
echo "cni network $cfg does not have ip address" echo "interface $iface does not have ip address"
proto_notify_error "$cfg" NO_IPADDRESS proto_notify_error "$cfg" NO_IPADDRESS
return 1 return 1
} }
proto_init_update "$device" 1 proto_init_update "$iface" 1
[ -n "$ipaddr" ] && proto_add_ipv4_address "$ipaddr" "$netmask" "$broadcast" "" [ -n "$ipaddr" ] && proto_add_ipv4_address "$ipaddr" "$netmask" "$broadcast" ""
[ -n "$route" ] && proto_add_ipv4_route "$route" "$routemask" "" "$routesrc" "" [ -n "$route" ] && proto_add_ipv4_route "$route" "$routemask" "" "$routesrc" ""
proto_send_update "$cfg" proto_send_update "$cfg"
@ -43,7 +60,6 @@ proto_cni_setup() {
proto_cni_teardown() { proto_cni_teardown() {
local cfg="$1" local cfg="$1"
#proto_set_available "$cfg" 0
return 0 return 0
} }