pbr 1.2.1-r35
Makefile:
* split uci-defaults into different purpose files
* add handling of netifd integration
Config:
* update with default values for all options (thanks @betonmischer86)
Init-script:
* add netifd integration handling
* add ip() function to emulate ip rule replace
* add netbird intrfaces support (thanks @egc112)
* reorganize loading/handling of options in load_package_config()
* improve display of interface triggers in service_triggers()
* remove chains cleanup from stop_service() due to exclusive use of fw4 nft files
* improve status_service() output
* drop input and postrouting as valid options for policy chain
Uci-defaults files:
* 91-pbr-nft: cosmetic improvements
Default nft files:
* drop use of input and postrouting chanins
Custom User files:
* dns-prefetch: functional improvements (thanks @betonmischer86)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Makefile:
* stop shipping/dealing with the firewall hotplug (obsolete)
* install a third user-script (dnsprefetch) by @betonmischer
Config:
* remove obsolete options
* include the new user script
Init-script:
* start much earlier so that on boot, the procd_add_raw_trigger works on all systems
* create a ubus() helper function so that service delete does not produce "Command not found"
* rename options to better reflect their function:
* procd_lan_device to lan_device
* procd_wan_interface to uplink_interface
* procd_wan6_interface to uplink_interface6
* procd_wan6_metric to uplink_interface6_metric
* wan_ip_rules_priority to uplink_ip_rules_priority
* wan_mark to uplink_mark
* visually separate run-time variables from variables loaded from config options
* use ${IPKG_INSTROOT} when sourcing files
* fix typo in str_to_dnsmasq_nftset()
* use pidof to kill dnsmasq in dnsmasq_kill()
* add helper function uci_add_list_if_new()
* add helper function uci_changes()
* add helper function ubus() so that service delete does not produce "Command not found"
* implement the dnsmasq features check similar to dnsmasq init script
* add get_url() function similar to luci package
* add/modify error and warning messages
* change how mktemp is used for more reliable file creation
* unset non-true boolean package config options on load for easier checks later
* improve handling of nft/nft set options
* fewer calls to resolver() and resolver() optimization to speed up the service
* use softlinks instead of duplicating dnsmasq nftset files into each instance
* prevent duplication of dnsmasq nftset elements
* option to target a specific dest dns port in DNS policies
* bugfix: more reliable interface reloads
* display README links to errors/warnings sections if any errors/warnings discovered
Uci-defaults:
* transition from old options to new ones
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* Improve verbose output on start
* Allow to not create ip rule for WG server
* Improve boot up start (take 2)
* Improve verbose output when setting triggers
* Override DNS hijack with DNS policies from pbr
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 24.10.0-rc2
Run tested: x86_64, Dell EMC Edge620, OpenWrt 24.10.0-rc2
Description:
* stop building netifd flavour until netifd isuees are resolved
* improve output()
* improve inline_set()
* improve is_config_enabled()
* bugfix is_domain()
* improve is_supported_protocol()
* improve is_supported_interface()
* bugfix is_tor_running()
* improve ipv4_leases_to_nftset()
* improve ipv6_leases_to_nftset()
* add check for ip-full binary on start
* bugfix: load environment on boot
* bugfix: hack around dnsmasq confdir instances
* bugfix: IPv6-related fixes for internet_routing() and status_service()
* improve netifd setup by bringing code into the init script from uci-defaults
* bugfix: do not attempt to use IPv6 prefixes in pbr.user.aws if IPv6 support is disabled in pbr config
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* switch to dstnat chain from dstnat_lan chain for dns & tor policies (thanks @egc112)
* re-introduce procd_lan_interface for better LAN detection
* improve is_domain function
* introduce health-check for requried fw4 chains
* bugfix: avoid double counters for dns policies
* bugfix: remove faulty counters for tor policies
* rename interface_process to process_interface for better code readability
* overhaul pbr.user.aws script for a much better performance and more compact
(gzipped) storage of the ranges json locally (thanks @bigsmile74)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This version is the final version supporting iptables and:
* it separates the old iptables/nft-capable init script from the new nft-only init script
* the new nft-script is a significant rewrite of the old recursive calls/policy parsing
and tries to create inline nft sets which offers performance improvements
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This update includes the following changes:
1. Makefile
* update copyright
* attempt to implement the proper variants to avoid luci-app dependency on both variants
* quietly stop service on uninstall
2. Config-file
* add the list of dnsmasq instances to target in supported dnsmasq modes
* for default pbr variant, set the `resolver_set` to `dnsmasq.nftset`
* for iptables pbr variant, set the `resolver_set` to `dnsmasq.ipset`
* add the `nft_file_support` (disabled by default)
* introduce `procd_boot_delay` to delay service start on boot
* introduce the following nft set creation options:
* nft_set_auto_merge
* nft_set_counter
* nft_set_flags_interval
* nft_set_flags_timeout
* nft_set_gc_interval
* nft_set_policy
* nft_set_timeout
* add the pbr.user.wg_server_and_client custom user script to allow running wg server and
client at the same time
* add the "Ignore Local Requests" sample policy
3. Hotplug firewall/interface scripts
* better logged messages
4. The pbr and pbr-iptables uci defaults script
* use functions from the init script
* improve vpn-policy-routing migration
5. The pbr-netifd uci defaults script
* use functions from the init script
* improve uci operations
6. Introduce the firewall.include file
7. Improve pbr.user.aws custom user script
8. Improve pbr.user.netflix custom user script
9. Introduce pbr.user.wg_server_and_client custom user script
10. Update the init file:
* refactor some code to allow the init script file to be sourced by the uci defaults scripts
and the luci rpcd script for shared functions
* add support for `nft_file_mode` in which service prepares the fw4-compatible atomic nft/include
file for faster operations on service reload
* improve Tor support (nft mode only)
* implement support for nft set options
* update validation functions for new options/parameters
Signed-off-by: Stan Grishin <stangri@melmac.ca>
*** MAKEFILE ***
* remove libubus dependency as it was causing issues
https://forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639/318
* move firewall hotplug directory/file creation out of default section into
pbr and pbr-iptables packages sections in preparation for dropping it from pbr
* fix no new line after output when uninstalling packages
*** UCI-DEFAULTS ***
* only add firewall include to firewall config if the include file exists
* add shellcheck exception to netifd uci-defaults file
*** SCRIPTS ***
* more informative logging for firewall and iface hotplug scripts
* more informative logging for firewall include script
*** SERVICE ***
* introduce lock-file to prevent package starting on external events if it hasn't
been auto- or manually started before
* use the `ip`, not `ip-full` command to prevent errors on OpenWrt 21.02
* parse firewall WAN zone to append list of interfaces
* append error and warning "arrays" with new messages
* used shared memory to store the service output/logging messages
* improve is_ovpn function to filter out false positives when interface names started
with `tun`
* introduce is_valid_ovpn to find OpenVPN tunnels where the device name in OpenVPN config
matches the device name in network config
* introduce opkg_get_version to compare versions of principal and luci packages
* better code to obtain AdGuardHome version with betas installed
* optimize code and add better logging for errors when inserting policies with iptables
* optimize code and add better logging for errors when inserting policies with nft
* bugfix: insert policies in all specified protocols
* bugfix: support using physical devices in policies in nft mode
* bugfix: use iptPrefix, not nftPrefix in iptables commands
* implement Tor support in nft mode
* bugfix: fix spelling for User File Syntax error
* restart service fully (instead of quick reload) for OpenVPN interface events, as
the order/number of supported interfaces
* more verbose output (showing handles) of status in nft mode
* improve `icmp_interface`, `ignored_interface`, `supported_interface` validation
regexes
* improve `interface`, validation regex
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* The makefile produces the nft and iptables capable `pbr` package
and the `pbr-iptables` package for legacy setups
* This replaces `vpnbypass` and `vpn-policy-routing` packages
* I'm soliciting feedback on this package and my intention is to
update the version to 1.0.0 before this is merged, but I need the
feedback on this and luci-app-pbr before then.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
