* fix: detect/support point-to-point interfaces in dynamic routing mode
* fix: avoid IPv4/IPv6 address collisions on Tor policies
* fix: do not set triggers on boot when service is disabled in config
* fix: more robust forward stop/enable
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* add support for OpenVPN netifd detection (thanks @egc112)
* add support for disable LAN->WAN forwarding when `strict_enforcement` is
set on start and restart (thanks @egc112)
* fix: always create marking chains for interfaces
* fix: insert DSCP/ICMP-related nft rules after marking chains
* fix: shellcheck-related improvements
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* bugfix: don't mask RFC1918 in the support output
* bugfix: proper processing of downed interfaces
Thanks to everyone who reported/tested and @egc112 for collecting feedback.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Makefile:
* Remove installation of /usr/share/nftables.d/* files as they are no
longer needed
Init script:
* bugfixes/more mature netifd extensions support
* refactor of the nft_file function and global variables it uses
* the "main" atomic nft file now includes creation of pbr chains and jumps
from relevant fw4 chains to pbr chains
* more consistent use of "uplink" wording in the output and variable names
* implement resolver 'wait' call and use it before trying to resolve any
policy entries
* major overhaul of the split uplink case (IPv4-only wan and IPv6-only
wan6), should now create/use a single pbr_wan table for both legacy and
IPv6 routing and the same marking chain
* updates to IDs and text of some error messages (needs luci app update)
* major speed improvements for service stop
* unify the cleanup_* functions into a single cleanup function
* reject creating/additions to nft sets for src_address entries as dnsmasq
doesn't populate sets with local addresses
* minor bugfixes/code cleanups
* refactor processing of WG servers due to split uplink support (thanks
@egc112!)
* clearer (hopefully) argument names for process_interface calls
* small improvements to status_service
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Remove many obsolete files.
Makefile:
* remove netifd-flavour related code
* remove trailing white spaces
Init-script:
* proper deletion of default network rules for IPv{4,6}
* fix netifd function error when IPv6 is enabled
* remove trailing white spaces
Signed-off-by: Stan Grishin <stangri@melmac.ca>
pbr 1.2.1-r35
Makefile:
* split uci-defaults into different purpose files
* add handling of netifd integration
Config:
* update with default values for all options (thanks @betonmischer86)
Init-script:
* add netifd integration handling
* add ip() function to emulate ip rule replace
* add netbird intrfaces support (thanks @egc112)
* reorganize loading/handling of options in load_package_config()
* improve display of interface triggers in service_triggers()
* remove chains cleanup from stop_service() due to exclusive use of fw4 nft files
* improve status_service() output
* drop input and postrouting as valid options for policy chain
Uci-defaults files:
* 91-pbr-nft: cosmetic improvements
Default nft files:
* drop use of input and postrouting chanins
Custom User files:
* dns-prefetch: functional improvements (thanks @betonmischer86)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Makefile:
* stop shipping/dealing with the firewall hotplug (obsolete)
* install a third user-script (dnsprefetch) by @betonmischer
Config:
* remove obsolete options
* include the new user script
Init-script:
* start much earlier so that on boot, the procd_add_raw_trigger works on all systems
* create a ubus() helper function so that service delete does not produce "Command not found"
* rename options to better reflect their function:
* procd_lan_device to lan_device
* procd_wan_interface to uplink_interface
* procd_wan6_interface to uplink_interface6
* procd_wan6_metric to uplink_interface6_metric
* wan_ip_rules_priority to uplink_ip_rules_priority
* wan_mark to uplink_mark
* visually separate run-time variables from variables loaded from config options
* use ${IPKG_INSTROOT} when sourcing files
* fix typo in str_to_dnsmasq_nftset()
* use pidof to kill dnsmasq in dnsmasq_kill()
* add helper function uci_add_list_if_new()
* add helper function uci_changes()
* add helper function ubus() so that service delete does not produce "Command not found"
* implement the dnsmasq features check similar to dnsmasq init script
* add get_url() function similar to luci package
* add/modify error and warning messages
* change how mktemp is used for more reliable file creation
* unset non-true boolean package config options on load for easier checks later
* improve handling of nft/nft set options
* fewer calls to resolver() and resolver() optimization to speed up the service
* use softlinks instead of duplicating dnsmasq nftset files into each instance
* prevent duplication of dnsmasq nftset elements
* option to target a specific dest dns port in DNS policies
* bugfix: more reliable interface reloads
* display README links to errors/warnings sections if any errors/warnings discovered
Uci-defaults:
* transition from old options to new ones
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- drop load_environment_flag and always load environment on start, making
restart command great again
- store/restore existing jshn namespace when using json()
- remove unneeded sleepCount in is_wan_up()
- move updated README inside files/
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Makefile:
- add SPDX-Identifier-License
- update Copyright
README:
- add basic README with the link to full documentation
Config:
- add debug_dnsmasq
- add procd_boot_trigger_delay
Init Script:
- move extra_command calls high up for visibility
- bump packageCompat to sync with luci app
- implement support for debug_dnsmasq to dump dnsmasq debug into $packageDebugFile
- create $runningStatusFile json-file allowing more verbose errors/warnings messages
- replaced `state add` calls with json add calls to store errors/warnings messages
- remove no longer needed errorSummary, warningSummary
- ensure environment is only loaded once per run via $load_environment_flag
- bugfix: update is_{host,hostname,domain,ipv4,mac_address} functions to properly sort policy entries
- bugfix: change references to melmac.net to melmac.ca
- add some new error/warning messages
- add delay before service is started on boot via procd_boot_trigger_delay
- bugfix: add logic to identify unknown policy entries instead of silently failing on them
- store error/warning messages as json objects in ubus data for luci app
- update load_validate_config with debug_dnsmasq and procd_boot_trigger_delay entries
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* Improve verbose output on start
* Allow to not create ip rule for WG server
* Improve boot up start (take 2)
* Improve verbose output when setting triggers
* Override DNS hijack with DNS policies from pbr
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 24.10.0-rc2
Run tested: x86_64, Dell EMC Edge620, OpenWrt 24.10.0-rc2
Description:
* stop building netifd flavour until netifd isuees are resolved
* improve output()
* improve inline_set()
* improve is_config_enabled()
* bugfix is_domain()
* improve is_supported_protocol()
* improve is_supported_interface()
* bugfix is_tor_running()
* improve ipv4_leases_to_nftset()
* improve ipv6_leases_to_nftset()
* add check for ip-full binary on start
* bugfix: load environment on boot
* bugfix: hack around dnsmasq confdir instances
* bugfix: IPv6-related fixes for internet_routing() and status_service()
* improve netifd setup by bringing code into the init script from uci-defaults
* bugfix: do not attempt to use IPv6 prefixes in pbr.user.aws if IPv6 support is disabled in pbr config
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* bump compat version to accommodate new strings
* update dnsmasq-related code to better support separate confdirs
for separate instances
* remove procd_lan_interface as it didn't reflect that it's a list of devices
* introduce procd_lan_device list
* improve the output() function (thanks @bigsmile74)
* remove duplicate uci_get_device
* improve ipv6 detection and interface setup
* improve dhcp force detection for interfaces name differently from lan
* fix array/element parameters for some json operations
* remove unneeded null redirects for `try` calls
* remove (iptables-only) capitalized chain names form validation
* working pbr-netifd flavor
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Changes from @stangri
* remove unneeded `\n` escapes
* cosmetic improvements to make code more consistent
* remove duplicate uci_get_device()
* add more output on start/stop
* remove wan up detection on boot/start
* address Tor policies errors
* prevent interface_routing() failures for downed interfaces
Changes from @bigsmile74:
* improve is_integer()
* improve is_domain()
* improve filter_options()
* imrove is_ipv4() so that is_ipv4_netmask() can be retired
* improve is_phys_dev so that is_phys_dev_quick() can be retired
* add the dhcp.lan.force=0 warning
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* switch to dstnat chain from dstnat_lan chain for dns & tor policies (thanks @egc112)
* re-introduce procd_lan_interface for better LAN detection
* improve is_domain function
* introduce health-check for requried fw4 chains
* bugfix: avoid double counters for dns policies
* bugfix: remove faulty counters for tor policies
* rename interface_process to process_interface for better code readability
* overhaul pbr.user.aws script for a much better performance and more compact
(gzipped) storage of the ranges json locally (thanks @bigsmile74)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* implement system health check on start for required fw4 table/chains
* add error messages for failed health checks
* move resolver check & config from load_package_config to load_environment
* no longer filter only static rules for pbr_* tables
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* allow using WG servers as gateways if explicitly set in supported_interface
* automatically execute user scripts in /etc/pbr.d/
* change the dnsmasq restart logic on start/reload/restart
* further nft file atomic mode-related code cleanup
* fix spelling in error message
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Makefile:
* remove pbr-iptables flavour
Init-script:
* improve detection of wireguard server and client instances
* integrate wg_server_and_client into init script
* remove traffic_killswitch() and trap() and related options/code
* remove internal nft_file_support variable as fw4 nft file is the only running mode
* improve debug() and is_supported_interface() functions
* improve detection of incompatible user script files
* double-quote some strings due to shellcheck errors
* flush ip rules from pbr tables instead of deleting last one
Other files:
* remove /usr/share/pbr/pbr.user.wg_server_and_client as obsolete
* remove references to the file above in config on update thru uci-defaults
* minor updates to netifd uci-defaults script
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This version is the final version supporting iptables and:
* it separates the old iptables/nft-capable init script from the new nft-only init script
* the new nft-script is a significant rewrite of the old recursive calls/policy parsing
and tries to create inline nft sets which offers performance improvements
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* update license to AGPL-3.0-or-later
* rename pbr_get_gateway to pbr_get_gateway4 for better readability
* improve IPv6 "gateway" detection/display on start
* prevent IPv6 interface errors on start
* revert release format
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* delete obsolete files/etc/init.d/pbr.init
* add files/etc/uci-defaults/91-pbr-iptables to help update from older OpenWrt
* add files/etc/uci-defaults/91-pbr-nft to help update from older OpenWrt
* update files/etc/uci-defaults/91-pbr-netifd to only add tables to supported ifaces
* re-organize variants in the Makefile so that they hopefull work this time
* update prerm for all variants for better user experience
* update the -netifd prerm to remove leftofver entries from network and rt_tables file
In the init script:
* add decorations for netifd-interfaces related operations (blue ticks)
* add rtTablesFile variables instead of hard-coding the rt_tables file
* add function to check if the table is netifd-derived
* add error messages/hints for failed interface setup and failed WAN discovery
* make cleanup_rt_tables the netifd-compatible
* streamline interface_process function with a clearer case statement
* rename the interface_process `pre-init` option to `pre_init` to conform to the other
functions options naming style
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This update includes the following changes:
1. Makefile
* update copyright
* attempt to implement the proper variants to avoid luci-app dependency on both variants
* quietly stop service on uninstall
2. Config-file
* add the list of dnsmasq instances to target in supported dnsmasq modes
* for default pbr variant, set the `resolver_set` to `dnsmasq.nftset`
* for iptables pbr variant, set the `resolver_set` to `dnsmasq.ipset`
* add the `nft_file_support` (disabled by default)
* introduce `procd_boot_delay` to delay service start on boot
* introduce the following nft set creation options:
* nft_set_auto_merge
* nft_set_counter
* nft_set_flags_interval
* nft_set_flags_timeout
* nft_set_gc_interval
* nft_set_policy
* nft_set_timeout
* add the pbr.user.wg_server_and_client custom user script to allow running wg server and
client at the same time
* add the "Ignore Local Requests" sample policy
3. Hotplug firewall/interface scripts
* better logged messages
4. The pbr and pbr-iptables uci defaults script
* use functions from the init script
* improve vpn-policy-routing migration
5. The pbr-netifd uci defaults script
* use functions from the init script
* improve uci operations
6. Introduce the firewall.include file
7. Improve pbr.user.aws custom user script
8. Improve pbr.user.netflix custom user script
9. Introduce pbr.user.wg_server_and_client custom user script
10. Update the init file:
* refactor some code to allow the init script file to be sourced by the uci defaults scripts
and the luci rpcd script for shared functions
* add support for `nft_file_mode` in which service prepares the fw4-compatible atomic nft/include
file for faster operations on service reload
* improve Tor support (nft mode only)
* implement support for nft set options
* update validation functions for new options/parameters
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* add missing space in str_contains
* unquote variable to make sure IPv6 rotues are added
* add IPv6 routes display to status output in nft mode
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* suppress RTNETLINK errors when inserting ipv6 routes
* only display global scope IPv6 gateways in status/WebUI
* stop and disable vpn-policy-routing when migrating
Signed-off-by: Stan Grishin <stangri@melmac.ca>
*** MAKEFILE ***
* remove libubus dependency as it was causing issues
https://forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639/318
* move firewall hotplug directory/file creation out of default section into
pbr and pbr-iptables packages sections in preparation for dropping it from pbr
* fix no new line after output when uninstalling packages
*** UCI-DEFAULTS ***
* only add firewall include to firewall config if the include file exists
* add shellcheck exception to netifd uci-defaults file
*** SCRIPTS ***
* more informative logging for firewall and iface hotplug scripts
* more informative logging for firewall include script
*** SERVICE ***
* introduce lock-file to prevent package starting on external events if it hasn't
been auto- or manually started before
* use the `ip`, not `ip-full` command to prevent errors on OpenWrt 21.02
* parse firewall WAN zone to append list of interfaces
* append error and warning "arrays" with new messages
* used shared memory to store the service output/logging messages
* improve is_ovpn function to filter out false positives when interface names started
with `tun`
* introduce is_valid_ovpn to find OpenVPN tunnels where the device name in OpenVPN config
matches the device name in network config
* introduce opkg_get_version to compare versions of principal and luci packages
* better code to obtain AdGuardHome version with betas installed
* optimize code and add better logging for errors when inserting policies with iptables
* optimize code and add better logging for errors when inserting policies with nft
* bugfix: insert policies in all specified protocols
* bugfix: support using physical devices in policies in nft mode
* bugfix: use iptPrefix, not nftPrefix in iptables commands
* implement Tor support in nft mode
* bugfix: fix spelling for User File Syntax error
* restart service fully (instead of quick reload) for OpenVPN interface events, as
the order/number of supported interfaces
* more verbose output (showing handles) of status in nft mode
* improve `icmp_interface`, `ignored_interface`, `supported_interface` validation
regexes
* improve `interface`, validation regex
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Bugfixes:
* better error information for empty tid/mark and failure to resolve domains
* better handling of entries in /etc/iproute2/rt_tables
* update packages definitions and descriptions
* remove firewall4 from dependencies to prevent dependency recursion
Updates:
* introduce nft_user_set_policy and nft_user_set_counter to control options for
user nft sets this service creares
* use counters in internal nft sets
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* The makefile produces the nft and iptables capable `pbr` package
and the `pbr-iptables` package for legacy setups
* This replaces `vpnbypass` and `vpn-policy-routing` packages
* I'm soliciting feedback on this package and my intention is to
update the version to 1.0.0 before this is merged, but I need the
feedback on this and luci-app-pbr before then.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
