Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:wan:multiwan:mwan3 [2024/05/17 08:21] – [Rule configuration] Add ipset workaround jamesmacwhite | docs:guide-user:network:wan:multiwan:mwan3 [2024/05/17 08:30] – [nft2ipset init script] jamesmacwhite | ||
|---|---|---|---|
| Line 1356: | Line 1356: | ||
| ==== nft2ipset init script ==== | ==== nft2ipset init script ==== | ||
| - | Due to the default firewall (fw4) now being based on nftables (rather than iptables), the ipset functionality commonly used in conjunction with dnsmasq and mwan3 no longer works in 23.05 releases. This is due to mwan3 not being fully compatible with nftables and requiring iptables compatibility/ | + | Due to the default firewall (fw4) now being based on nftables (rather than iptables), the ipset functionality commonly used in conjunction with dnsmasq and mwan3 no longer works in 23.05 releases. This is due to mwan3 not being fully compatible with nftables and requiring iptables compatibility/ |
| - | You will need to use nfset with dnsmasq for ipset polices to be created, which mwan3 will support. mwan3 currently does not support nfset in rules directly, hence the need to create ipset policies. | + | You will need to use nfset with dnsmasq for ipset polices to be created, which mwan3 only supports at this time. mwan3 currently does not support nfset in rules directly, hence the need to create ipset policies. |
| For help with this init script, please message @Kishi on the forum thread and also thank them if you found this useful! | For help with this init script, please message @Kishi on the forum thread and also thank them if you found this useful! | ||
| - | <code bash> | + | The script is [[https://gist.github.com/Kishi85/b7f379f9aa19f4878af28b8e1a8887ab|published as gist on GitHub]] so the full code can be inspected |
| - | #!/bin/sh / | + | |
| - | # Start before firewall and mwan3 which are at Prio 19 | + | |
| - | START=18 | + | |
| - | APP=nft2ipset | + | |
| - | USE_PROCD=1 | + | |
| - | SCRIPTPATH="/ | + | |
| - | + | ||
| - | write_script() { | + | |
| - | cat > " | + | |
| - | #!/bin/sh | + | |
| - | #check if the script is already running | + | |
| - | PID=$$ | + | |
| - | SCRIPT=" | + | |
| - | TMPDIR="/ | + | |
| - | MONITORPIDFILE=" | + | |
| - | MONITORFIFO=" | + | |
| - | mkfifo " | + | |
| - | + | ||
| - | cleanup () { | + | |
| - | # Cleanup nft monitor subprocess | + | |
| - | if [ -f " | + | |
| - | MONITORPID=" | + | |
| - | if [ " | + | |
| - | kill " | + | |
| - | fi | + | |
| - | fi | + | |
| - | # Remove pid file and fifo | + | |
| - | rm " | + | |
| - | } | + | |
| - | trap cleanup TERM INT EXIT | + | |
| - | + | ||
| - | create_or_update_ipset() { | + | |
| - | # Determine ipset parameters | + | |
| - | local DEF=" | + | |
| - | local NAME=" | + | |
| - | local OPTS="" | + | |
| - | local FAMILY=" | + | |
| - | if echo " | + | |
| - | FAMILY=" | + | |
| - | OPTS=" | + | |
| - | fi | + | |
| - | local TIMEOUT=" | + | |
| - | if [ -n " | + | |
| - | OPTS=" | + | |
| - | fi | + | |
| - | + | ||
| - | # Create or update ipset from nftables set | + | |
| - | if [ " | + | |
| - | CUR=" | + | |
| - | if ! ( echo " | + | |
| - | ( ipset destroy " | + | |
| - | elif ! ( echo " | + | |
| - | # Swap current iteration of the ipset with a new iteration due to timeout mismatch | + | |
| - | ipset create " | + | |
| - | ipset swap " | + | |
| - | ipset destroy " | + | |
| - | logger -t " | + | |
| - | fi | + | |
| - | fi | + | |
| - | if [ " | + | |
| - | # Create a new ipset with options matching the nftables set | + | |
| - | ipset create " | + | |
| - | # Restart mwan3 if this ipset is used by it, it is already running but the set name is not found in active rule output | + | |
| - | if [ $? = 0 ] && grep -q " | + | |
| - | mwan3 restart | + | |
| - | fi | + | |
| - | logger -t " | + | |
| - | fi | + | |
| - | + | ||
| - | # Add already existing entries to the set | + | |
| - | echo " | + | |
| - | if [ -n " | + | |
| - | ipset -q add " | + | |
| - | fi | + | |
| - | done | + | |
| - | } | + | |
| - | + | ||
| - | # Check if ipsets exist for all currently existing nftsets or create otherwise | + | |
| - | nft -nT list sets | tr ' | + | |
| - | create_or_update_ipset " | + | |
| - | done | + | |
| - | + | ||
| - | # Monitor nftables rule changes | + | |
| - | nft -nT monitor > " | + | |
| - | echo $! > " | + | |
| - | while read LINE; do | + | |
| - | if echo " | + | |
| - | # Check if ipset exists or create otherwise | + | |
| - | NAME=" | + | |
| - | if [ " | + | |
| - | DEF=" | + | |
| - | create_or_update_ipset " | + | |
| - | fi | + | |
| - | # Add element to ipset | + | |
| - | IP=" | + | |
| - | EXPIRES=" | + | |
| - | ADDOPTS="" | + | |
| - | if [ $EXPIRES -gt 0 ]; then | + | |
| - | ADDOPTS=" | + | |
| - | fi | + | |
| - | if ipset -q test " | + | |
| - | # Refresh | + | |
| - | ipset -q del " | + | |
| - | ipset -q add " | + | |
| - | else | + | |
| - | ipset -q add " | + | |
| - | logger -t " | + | |
| - | fi | + | |
| - | elif echo " | + | |
| - | # Create or update ipset | + | |
| - | NAME=" | + | |
| - | DEF=" | + | |
| - | create_or_update_ipset " | + | |
| - | elif echo " | + | |
| - | # Clear and try to delete removed ipset (This will fail if it is in use by any iptables rule) | + | |
| - | NAME=" | + | |
| - | ipset clear " | + | |
| - | ipset destroy " | + | |
| - | fi | + | |
| - | done < " | + | |
| - | EOT | + | |
| - | } | + | |
| - | + | ||
| - | start_service() { | + | |
| - | write_script " | + | |
| - | chmod +x " | + | |
| - | procd_open_instance | + | |
| - | procd_set_param command " | + | |
| - | procd_set_param respawn | + | |
| - | procd_close_instance | + | |
| - | } | + | |
| - | service_stopped() { | + | |
| - | rm " | + | |
| - | } | + | |
| - | # vim: ts=2 sw=2 et | + | |
| - | </ | + | |
| Installation instructions: | Installation instructions: | ||
| < | < | ||
| + | wget -O / | ||
| chmod +x / | chmod +x / | ||
| service nft2ipset enable | service nft2ipset enable | ||