Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:wan:multiwan:mwan3 [2024/05/16 16:35] – [OpenWrt version] jamesmacwhite | docs:guide-user:network:wan:multiwan:mwan3 [2024/05/17 08:30] – [nft2ipset init script] jamesmacwhite | ||
|---|---|---|---|
| Line 623: | Line 623: | ||
| <WRAP center important 100%> | <WRAP center important 100%> | ||
| - | ipset functionality is broken in 23.05 due to the '' | + | ipset functionality is broken in 23.05 due to the '' |
| </ | </ | ||
| Line 1356: | Line 1356: | ||
| ==== nft2ipset init script ==== | ==== nft2ipset init script ==== | ||
| - | Due to the default firewall now being nftables, rather than iptables, the ipset functionality used in conjunction dnsmasq and mwan3 no longer works in 23.02 versions. This is due to mwan3 not being fully compatible with nftables and requires | + | Due to the default firewall |
| - | <code sh> | + | You will need to use nfset with dnsmasq for ipset polices to be created, |
| - | #!/bin/sh / | + | |
| - | # Start before firewall and mwan3 which are at Prio 19 | + | |
| - | START=18 | + | |
| - | APP=nft2ipset | + | |
| - | USE_PROCD=1 | + | |
| - | SCRIPTPATH="/ | + | |
| - | write_script() { | + | For help with this init script, please message @Kishi on the forum thread and also thank them if you found this useful! |
| - | cat > " | + | |
| - | #!/bin/sh | + | |
| - | #check if the script | + | |
| - | PID=$$ | + | |
| - | SCRIPT=" | + | |
| - | TMPDIR="/ | + | |
| - | MONITORPIDFILE=" | + | |
| - | MONITORFIFO=" | + | |
| - | mkfifo " | + | |
| - | cleanup () { | + | The script is [[https://gist.github.com/Kishi85/b7f379f9aa19f4878af28b8e1a8887ab|published as gist on GitHub]] so the full code can be inspected |
| - | # Cleanup nft monitor subprocess | + | |
| - | if [ -f " | + | |
| - | MONITORPID=" | + | |
| - | if [ " | + | |
| - | kill " | + | |
| - | fi | + | |
| - | fi | + | |
| - | # Remove pid file and fifo | + | |
| - | rm " | + | |
| - | } | + | |
| - | trap cleanup TERM INT EXIT | + | |
| - | + | ||
| - | create_or_update_ipset() { | + | |
| - | # Determine ipset parameters | + | |
| - | local DEF=" | + | |
| - | local NAME=" | + | |
| - | local OPTS="" | + | |
| - | local FAMILY=" | + | |
| - | if echo " | + | |
| - | FAMILY=" | + | |
| - | OPTS=" | + | |
| - | fi | + | |
| - | local TIMEOUT=" | + | |
| - | if [ -n " | + | |
| - | OPTS=" | + | |
| - | fi | + | |
| - | + | ||
| - | # Create or update ipset from nftables set | + | |
| - | if [ " | + | |
| - | CUR=" | + | |
| - | if ! ( echo " | + | |
| - | ( ipset destroy " | + | |
| - | elif ! ( echo " | + | |
| - | # Swap current iteration of the ipset with a new iteration due to timeout mismatch | + | |
| - | ipset create " | + | |
| - | ipset swap " | + | |
| - | ipset destroy " | + | |
| - | logger -t " | + | |
| - | fi | + | |
| - | fi | + | |
| - | if [ " | + | |
| - | # Create a new ipset with options matching the nftables set | + | |
| - | ipset create " | + | |
| - | # Restart mwan3 if this ipset is used by it, it is already running but the set name is not found in active rule output | + | |
| - | if [ $? = 0 ] && grep -q " | + | |
| - | mwan3 restart | + | |
| - | fi | + | |
| - | logger -t " | + | |
| - | fi | + | |
| - | + | ||
| - | # Add already existing entries to the set | + | |
| - | echo " | + | |
| - | if [ -n " | + | |
| - | ipset -q add " | + | |
| - | fi | + | |
| - | done | + | |
| - | } | + | |
| - | + | ||
| - | # Check if ipsets exist for all currently existing nftsets or create otherwise | + | |
| - | nft -nT list sets | tr ' | + | |
| - | create_or_update_ipset " | + | |
| - | done | + | |
| - | + | ||
| - | # Monitor nftables rule changes | + | |
| - | nft -nT monitor > " | + | |
| - | echo $! > " | + | |
| - | while read LINE; do | + | |
| - | if echo " | + | |
| - | # Check if ipset exists or create otherwise | + | |
| - | NAME=" | + | |
| - | if [ " | + | |
| - | DEF=" | + | |
| - | create_or_update_ipset " | + | |
| - | fi | + | |
| - | # Add element to ipset | + | |
| - | IP=" | + | |
| - | EXPIRES=" | + | |
| - | ADDOPTS="" | + | |
| - | if [ $EXPIRES -gt 0 ]; then | + | |
| - | ADDOPTS=" | + | |
| - | fi | + | |
| - | if ipset -q test " | + | |
| - | # Refresh | + | |
| - | ipset -q del " | + | |
| - | ipset -q add " | + | |
| - | else | + | |
| - | ipset -q add " | + | |
| - | logger -t " | + | |
| - | fi | + | |
| - | elif echo " | + | |
| - | # Create or update ipset | + | |
| - | NAME=" | + | |
| - | DEF=" | + | |
| - | create_or_update_ipset " | + | |
| - | elif echo " | + | |
| - | # Clear and try to delete removed ipset (This will fail if it is in use by any iptables rule) | + | |
| - | NAME=" | + | |
| - | ipset clear " | + | |
| - | ipset destroy " | + | |
| - | fi | + | |
| - | done < " | + | |
| - | EOT | + | |
| - | } | + | |
| - | + | ||
| - | start_service() { | + | |
| - | write_script " | + | |
| - | chmod +x " | + | |
| - | procd_open_instance | + | |
| - | procd_set_param command " | + | |
| - | procd_set_param respawn | + | |
| - | procd_close_instance | + | |
| - | } | + | |
| - | service_stopped() { | + | |
| - | rm " | + | |
| - | } | + | |
| - | # vim: ts=2 sw=2 et | + | |
| - | </ | + | |
| Installation instructions: | Installation instructions: | ||
| < | < | ||
| + | wget -O / | ||
| chmod +x / | chmod +x / | ||
| service nft2ipset enable | service nft2ipset enable | ||